mirror of
https://github.com/sigmasternchen/php-doc-en
synced 2025-03-15 16:38:54 +00:00
Translated / fixed most text to be actually something that looks like English
git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@342209 c90b9560-bf6c-de11-be94-00142212c4b1
This commit is contained in:
Pieter Hordijk
parent
b7db81dd3f
commit
1855e35cf8
1 changed files with 29 additions and 29 deletions
|
|
@ -7,9 +7,9 @@
|
|||
External links: <link xlink:href="&url.session-fixation;">Session fixation</link>
|
||||
</para>
|
||||
<para>
|
||||
HTTP session management is core of web security. All of mitigation
|
||||
should be adopted to make sure session security. Developer should
|
||||
enable/use applicable security measures.
|
||||
HTTP session management is the core of web security. All mitigations
|
||||
should be adopted to make sure sessions are secured. Developers should
|
||||
also enable/use applicable security measures.
|
||||
</para>
|
||||
|
||||
<sect1 xml:id="features.session.security.management">
|
||||
|
|
@ -52,10 +52,11 @@
|
|||
|
||||
<note>
|
||||
<simpara>
|
||||
Even HTTPS cannot protect confidential data in contents sometimes.
|
||||
e.g. CRIME, Beast attack. There are many networks that use
|
||||
HTTPS MITM proxy for audit purpose. Attackers may setup such proxy
|
||||
also.
|
||||
Even HTTPS cannot protect confidential data at all times.
|
||||
For example the CRIME and Beast vulnerabilities may enable an
|
||||
attacker to read the data. Also note that there are many networks
|
||||
that use HTTPS MITM proxies for audit purposes. Attackers may also
|
||||
set up such a proxy.
|
||||
</simpara>
|
||||
</note>
|
||||
|
||||
|
|
@ -65,33 +66,33 @@
|
|||
<title>Non-Adaptive Session Management</title>
|
||||
|
||||
<para>
|
||||
PHP's session manager is adaptive by default currently. Adaptive session manger
|
||||
PHP's session manager is adaptive by default currently. Adaptive session manager
|
||||
has additional risks.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Since PHP 5.5.2, <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>
|
||||
is available. When it is enabled and session save handler supports
|
||||
it, uninitialized session ID is rejected and new session ID is
|
||||
created. This protects attack that forces users to use known session
|
||||
ID. Attacker may paste links or send mail that contains session
|
||||
is available. When it is enabled, and the session save handler supports
|
||||
it, an uninitialized session ID is rejected and a new session ID is
|
||||
created. This prevents an attack that forces users to use known session
|
||||
ID. Attacker may paste links or send mail that contains the session
|
||||
ID. e.g. http://example.com/page.php?PHPSESSID=123456789 If <link
|
||||
linkend="ini.session.use-trans-sid">session.use_trans_sid</link> is
|
||||
enabled, victim will start session using attacker provided session
|
||||
ID. <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>
|
||||
enabled, the victim will start a session using the attacker provided
|
||||
session ID. <link linkend="ini.session.use-strict-mode">session.use_strict_mode</link>
|
||||
mitigates the risk.
|
||||
</para>
|
||||
|
||||
<warning>
|
||||
<simpara>
|
||||
User defined save handler can also support strict session mode by implementing
|
||||
session ID validation function/method. All user defined save handlers must
|
||||
implement session ID validation function/method.
|
||||
User defined save handlers can also support strict session mode by
|
||||
implementing session ID validation. All user defined save handlers must
|
||||
implement session ID validation.
|
||||
</simpara>
|
||||
</warning>
|
||||
|
||||
<para>
|
||||
Session ID cookie could be set with domain, path, httponly, secure
|
||||
The session ID cookie could be set with domain, path, httponly and secure
|
||||
attributes. There is precedence defined by browsers. By using the
|
||||
precedence, attacker can set session ID that could be used
|
||||
permanently. Use of <link
|
||||
|
|
@ -100,16 +101,14 @@
|
|||
linkend="ini.session.use-strict-mode">session.use_strict_mode</link>
|
||||
mitigates this risk. With <link
|
||||
linkend="ini.session.use-strict-mode">session.use_strict_mode</link>=On,
|
||||
uninitialized session ID will not be accepted. Session module
|
||||
creates new session ID always when session ID is not initialized by
|
||||
session module.
|
||||
the uninitialized session ID will not be accepted.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<simpara>
|
||||
Even though <link
|
||||
linkend="ini.session.use-strict-mode">session.use_strict_mode</link>
|
||||
mitigates risk of adoptive session management, attacker can force
|
||||
mitigates the risk of adoptive session management, attacker can force
|
||||
users to use initialized session ID which is created by attacker. e.g.
|
||||
JavaScript injection. This attack could be mitigated by this manual's
|
||||
recommendations.
|
||||
|
|
@ -127,7 +126,7 @@
|
|||
<simpara>
|
||||
When obsolete session access happened, you should save all active
|
||||
session data for the user. It will be useful for investigation later.
|
||||
Then, force user to logout from all sessions. i.e. Require users
|
||||
Then force the user to logout from all sessions. i.e. Require users
|
||||
to re-authenticate. This way, you can prevent attackers from
|
||||
keep abusing stolen sessions.
|
||||
</simpara>
|
||||
|
|
@ -634,7 +633,7 @@
|
|||
|
||||
<listitem>
|
||||
<para>
|
||||
<link linkend="ini.session.trans-sid-tags">session.trans_sid_tags</link>=[limitted tags]
|
||||
<link linkend="ini.session.trans-sid-tags">session.trans_sid_tags</link>=[limited tags]
|
||||
</para>
|
||||
<para>
|
||||
(PHP 7.1.0 >=) You should not rewrite unneeded HTML tags. Default
|
||||
|
|
@ -645,7 +644,7 @@
|
|||
|
||||
<listitem>
|
||||
<para>
|
||||
<link linkend="ini.session.trans-sid-hosts">session.trans_sid_hosts</link>=[limitted hosts]
|
||||
<link linkend="ini.session.trans-sid-hosts">session.trans_sid_hosts</link>=[limited hosts]
|
||||
</para>
|
||||
<para>
|
||||
(PHP 7.1.0 >=) This INI defines whitelist hosts that allows trans sid
|
||||
|
|
@ -661,11 +660,12 @@
|
|||
<para>
|
||||
When <link
|
||||
linkend="ini.session.use-trans-sid">session.use_trans_sid</link>
|
||||
is enabled, use of this setting is recommended.
|
||||
is enabled.
|
||||
It reduces risk of session ID injection. If your site is
|
||||
http://example.com/, set http://example.com/ to it. Note that when
|
||||
HTTPS is used, browser will not send referrer header. Browser may
|
||||
not send referrer header by configuration. Therefore, this setting
|
||||
HTTPS is used the browser will not send the referrer header. Browsers may
|
||||
not send the referrer header by configuration. Use of this
|
||||
setting is recommended Therefore, this setting
|
||||
is not reliable security measure.
|
||||
</para>
|
||||
</listitem>
|
||||
|
|
@ -676,7 +676,7 @@
|
|||
</para>
|
||||
<para>
|
||||
Make sure HTTP contents are not cached for authenticated
|
||||
session. Allow caching only when contents is not private.
|
||||
session. Allow caching only when contents are not private.
|
||||
Otherwise, contents may be exposed. "private" may be used
|
||||
if HTTP content does not include security sensitive data. Note
|
||||
that "private" may leave private data cached by shared
|
||||
|
|
|
|||
Loading…
Reference in a new issue