Backend Development
PHP Tutorial
Detailed graphic explanation of codeigniter security precautions in PHP
Detailed graphic explanation of codeigniter security precautions in PHP
This article mainly introduces the security precautions of codeigniter in PHP. Interested friends can refer to it. I hope it will be helpful to everyone.
1. httponly
session must use httponly, otherwise it may be attacked by xxs. Use js to obtain the session_id of the cookie.
You need to use the ci_session of the framework, longer digits, httponly, these are all configured by default.
Don’t use native phpsession, but use ci_session. ci_session digits are longer.
If you want to use the native session, you should set it like this (php.ini):
session.sid_length //The length of the sid should be lengthened here. The default is too If
session.cookie_httponly = 1 is shortened, the native session will become httponly.
2. phpinfo
Be sure to close the phpinfo page. The dump request information may be used by attackers. Such as cookie information.
3. Force the entire site to https
Jump through cdn, and the local development environment must also be equipped with https. If https cannot be used in some aspects, such as message push, you can create a new site.
4. Strict mode
##session.use_strict_mode = 1
5. CSRF cross-site request forgery
#A’s cookie contains the session id of the site example.com and has not expired. B passes Put a picture on the forum to lure A to click on the picture. The picture will initiate a request, and the request is disguised as example.com. A's browser believes it to be true and attaches the cookie of example.com to the request. The request information is B's code is intercepted and sent to B through an asynchronous request. B logs in to A's account at example.com through this cookie. CI has an anti-CSRF mechanism, that is, it will automatically insert a hidden CSRF field into the form. The following settings are required: application/config/config.php:$config['csrf_protection'] = TRUE;
6. $this->input->post('a',true);
7. Replay
#You encrypt your username and password and send them to the server for login verification. The attacker does not need to decrypt you. With these user names and passwords, he only needs to operate the intercepted data packets again to log in. This is replay.
Defense measures for 5 and 6: Each form contains a hidden random code token that can only be used once.
Only one-time token implementation: redis deletes it directly after expiration and use
8. Summary: User secure login process <1>Basic session strategy:
(1) Session is only used as a session session and will become invalid when the browser is closed. ; (2) The shorter the session validity period is, the safer it is, for example, 60 seconds; (3) The session refresh time needs to be modified accordingly, for example, 30 seconds;
(4) Set up redis to store session.
The configuration is as follows:
In php.ini:
session.gc_maxlifetime = 60
is in application/ config/config.php:
$config['sess_driver'] = 'redis';//设为用redis存储session $config['sess_cookie_name'] = 'ci_session'; $config['sess_expiration'] = 0;//设为会话session,关闭浏览器,客户端cookie即失效 $config['sess_save_path'] = 'tcp://127.0.0.1:端口号';//redis地址 $config['sess_match_ip'] = FALSE;//要不要验证ip是否一致 $config['sess_time_to_update'] = 30;//超30秒即刷新sid $config['sess_regenerate_destroy'] = TRUE;//重新生成sid的时候删除旧sid
<2>Session id refresh and session expiration time distinction:
Note:
These settings are closely related to security and should be distinguished and used carefully.
What does the above
session.gc_maxlifetime mean? That is, the time from when a session is generated to when it expires and cannot be used. In fact, if you use redis, it will be clear. This value is a duration set when using redis to save the sid. This is very clear. When a sid is generated, this time will be written in. Then when this time is reached, This key-value will be deleted. So thissess_time_to_update, as the name implies, is the refresh time. This time is a threshold, which means it will be refreshed after this time. It is not refreshed automatically, but refreshed when accessing the session! When we use session, he will judge the interval between the last session and this session. If the interval is greater than this value, the sid will be refreshed. The usual performance of this usage is that when we refresh the page, we need to read the session for authentication. Then when refreshing the page, the interval between two times exceeds this time, that is, refreshing the sid. Then combined with the maxlifetime above, it means that the refresh is completed. After that, the session is renewed, and a new session is written, along with a restarted timer. That is to say, if we refresh the page from time to time, our refresh mechanism will be triggered when necessary, and then our session will not expire, never. If you brush there regularly. If the time interval between two refreshes exceeds maxlifetime, the login timeout will be displayed and the session is gone. Because if you try to update after the expiration, it will obviously not work and the update will fail. The summary is that this maxlifetime determines how long we cannot exceed between two refreshes, otherwise the login will time out; and update must be less than maxlifetime, which is inevitable, because if it is greater than it, it will be invalid. Refreshing is useless because it has expired. And preferably, I think this update should be less than half of maxlifetime. If maxlifetime is very long (in the hope of improving the user experience, it is always not good for users to always log in and time out), then it doesn't matter if the update is set to be shorter, because if it is set to be shorter, it will cause a larger problem if the session is stolen. It is possible that the thief has expired when he uses it, so the security will be higher. <2>one-times-tokens: One-time token The above is the entire content of this article, I hope it will be helpful to everyone’s learning Helps. Related recommendations: PHPHow to execute system commands through bypass disable functions Summary of the usage of "{}" braces in php
The above is the detailed content of Detailed graphic explanation of codeigniter security precautions in PHP. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Performance and security of PHP5 and PHP8: comparison and improvements
Jan 26, 2024 am 10:19 AM
PHP is a widely used server-side scripting language used for developing web applications. It has developed into several versions, and this article will mainly discuss the comparison between PHP5 and PHP8, with a special focus on its improvements in performance and security. First let's take a look at some features of PHP5. PHP5 was released in 2004 and introduced many new functions and features, such as object-oriented programming (OOP), exception handling, namespaces, etc. These features make PHP5 more powerful and flexible, allowing developers to
Security challenges in Golang development: How to avoid being exploited for virus creation?
Mar 19, 2024 pm 12:39 PM
Security challenges in Golang development: How to avoid being exploited for virus creation? With the wide application of Golang in the field of programming, more and more developers choose to use Golang to develop various types of applications. However, like other programming languages, there are security challenges in Golang development. In particular, Golang's power and flexibility also make it a potential virus creation tool. This article will delve into security issues in Golang development and provide some methods to avoid G
Introduction to matters needing attention during the Mingchao test
Mar 13, 2024 pm 08:13 PM
During the Mingchao test, please avoid system upgrades, factory resets, and parts replacement to prevent information loss and abnormal game login. Special reminder: There is no appeal channel during the testing period, so please handle it with caution. Introduction to matters needing attention during the Mingchao test: Do not upgrade the system, restore factory settings, replace equipment components, etc. Notes: 1. Please upgrade the system carefully during the test period to avoid information loss. 2. If the system is updated, it may cause the problem of being unable to log in to the game. 3. At this stage, the appeal channel has not yet been opened. Players are advised to choose whether to upgrade at their own discretion. 4. At the same time, one game account can only be used with one Android device and one PC. 5. It is recommended that you wait until the test is completed before upgrading the mobile phone system or restoring factory settings or replacing the device.
How to start a live broadcast on Douyin for the first time? What should you pay attention to when broadcasting live for the first time?
Mar 22, 2024 pm 04:10 PM
With the rise of short video platforms, Douyin has become an indispensable part of many people's daily lives. Live broadcasting on Douyin and interacting with fans are the dreams of many users. So, how do you start a live broadcast on Douyin for the first time? 1. How to start a live broadcast on Douyin for the first time? 1. Preparation To start live broadcast, you first need to ensure that your Douyin account has completed real-name authentication. You can find the real-name authentication tutorial in "Me" -> "Settings" -> "Account and Security" in the Douyin APP. After completing the real-name authentication, you can meet the live broadcast conditions and start live broadcast on the Douyin platform. 2. Apply for live broadcast permission. After meeting the live broadcast conditions, you need to apply for live broadcast permission. Open Douyin APP, click "Me"->"Creator Center"->"Direct
What is the relationship between memory management techniques and security in Java functions?
May 02, 2024 pm 01:06 PM
Memory management in Java involves automatic memory management, using garbage collection and reference counting to allocate, use and reclaim memory. Effective memory management is crucial for security because it prevents buffer overflows, wild pointers, and memory leaks, thereby improving the safety of your program. For example, by properly releasing objects that are no longer needed, you can avoid memory leaks, thereby improving program performance and preventing crashes.
Security analysis of Oracle default account password
Mar 09, 2024 pm 04:24 PM
Oracle database is a popular relational database management system. Many enterprises and organizations choose to use Oracle to store and manage their important data. In the Oracle database, there are some default accounts and passwords preset by the system, such as sys, system, etc. In daily database management and operation and maintenance work, administrators need to pay attention to the security of these default account passwords, because these accounts have higher permissions and may cause serious security problems once they are maliciously exploited. This article will cover Oracle default
Detailed explanation of Java EJB architecture to build a stable and scalable system
Feb 21, 2024 pm 01:13 PM
What is EJB? EJB is a Java Platform, Enterprise Edition (JavaEE) specification that defines a set of components for building server-side enterprise-class Java applications. EJB components encapsulate business logic and provide a set of services for handling transactions, concurrency, security, and other enterprise-level concerns. EJB Architecture EJB architecture includes the following major components: Enterprise Bean: This is the basic building block of EJB components, which encapsulates business logic and related data. EnterpriseBeans can be stateless (also called session beans) or stateful (also called entity beans). Session context: The session context provides information about the current client interaction, such as session ID and client
Frequently Asked Questions and Notes: Using MyBatis for Batch Query
Feb 19, 2024 pm 12:30 PM
Notes and FAQs on MyBatis batch query statements Introduction MyBatis is an excellent persistence layer framework that supports flexible and efficient database operations. Among them, batch query is a common requirement. By querying multiple pieces of data at one time, the overhead of database connection and SQL execution can be reduced, and the performance of the system can be improved. This article will introduce some precautions and common problems with MyBatis batch query statements, and provide specific code examples. Hope this can provide some help to developers. Things to note when using M
