我正在构建一个带有登录名的应用程序,我已经阅读了有关使用 $request->session()->regenerate(); 重新生成 session ID 的信息。但我不明白我应该在哪里使用它,有人可以解释我应该在何时何地重新生成 session ID?
最佳答案
如果您看到默认身份验证,那么您可以看到他们正在重新生成 session 的每个登录身份验证。
protected function sendLoginResponse(Request $request)
{
$request->session()->regenerate();
$this->clearLoginAttempts($request);
if ($response = $this->authenticated($request, $this->guard()->user())) {
return $response;
}
return $request->wantsJson()
? new JsonResponse([], 204)
: redirect()->intended($this->redirectPath());
}
什么是 session 固定?
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim’s browser use it.
根据文档
Regenerating the session ID is often done in order to prevent malicious users from exploiting a session fixation attack on your application.
Laravel automatically regenerates the session ID during authentication if you are using one of the Laravel application starter kits or Laravel Fortify; however, if you need to manually regenerate the session ID, you may use the regenerate method:
$request->session()->regenerate(); If you need to regenerate the session ID and remove all data from the session in a single statement, you may use the invalidate method:
$request->session()->invalidate();
引用:https://laravel.com/docs/8.x/session
引用:https://owasp.org/www-community/attacks/Session_fixation
关于php - 何时重新生成 session ID Laravel?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68083063/