There are a couple of things to do in order to keep your session secure:

为了确保您的会话安全，有几件事要做：

1. Use SSL when authenticating users or performing sensitive operations.
2. Regenerate the session id whenever the security level changes (such as logging in). You can even regenerate the session id every request if you wish.
3. Have sessions time out
4. Don't use register globals
5. Store authentication details on the server. That is, don't send details such as username in the cookie.
6. Check the $_SERVER['HTTP_USER_AGENT']. This adds a small barrier to session hiHymaning. You can also check the IP address. But this causes problems for users that have changing IP address due to load balancing on multiple internet connections etc (which is the case in our environment here).
7. Lock down access to the sessions on the file system or use custom session handling
8. For sensitive operations consider requiring logged in users to provide their authenication details again

1. 在验证用户或执行敏感操作时使用 SSL。
2. 每当安全级别发生变化（例如登录）时重新生成会话 ID。如果您愿意，您甚至可以为每个请求重新生成会话 ID。
3. 会话超时
4. 不要使用注册全局变量
5. 在服务器上存储身份验证详细信息。也就是说，不要在 cookie 中发送用户名等详细信息。
6. 检查$_SERVER['HTTP_USER_AGENT']. 这为会话劫持增加了一个小障碍。您还可以检查 IP 地址。但这会给由于多个 Internet 连接上的负载平衡等而更改 IP 地址的用户带来问题（在我们的环境中就是这种情况）。
7. 锁定对文件系统上的会话的访问或使用自定义会话处理
8. 对于敏感操作，请考虑要求登录用户再次提供其身份验证详细信息

One guideline is to call session_regenerate_idevery time a session's security level changes. This helps prevent session hiHymaning.

一个准则是每次会话的安全级别更改时调用session_regenerate_id。这有助于防止会话劫持。

I think one of the major problems (which is being addressed in PHP 6) is register_globals. Right now one of the standard methods used to avoid register_globalsis to use the $_REQUEST, $_GETor $_POSTarrays.

我认为主要问题之一（正在 PHP 6 中解决）是 register_globals。现在用来避免的标准方法之一register_globals是使用$_REQUEST,$_GET或$_POST数组。

The "correct" way to do it (as of 5.2, although it's a little buggy there, but stable as of 6, which is coming soon) is through filters.

执行此操作的“正确”方法（从 5.2 开始，虽然那里有点问题，但从 6 开始稳定，即将推出）是通过过滤器。

So instead of:

所以而不是：

$username = $_POST["username"];

you would do:

你会这样做：

$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);

or even just:

甚至只是：

$username = filter_input(INPUT_POST, 'username');

My two (or more) cents:

我的两（或更多）美分：

• Trust no one
• Filter input, escape output (cookie, session data are your input too)
• Avoid XSS (keep your HTML well formed, take a look at PHPTALor HTMLPurifier)
• Defense in depth
• Do not expose data

• 不相信任何人
• 过滤输入、转义输出（cookie、会话数据也是您的输入）
• 避免 XSS（保持你的 HTML 格式良好，看看PHPTAL或HTMLPurifier）
• 纵深防御
• 不暴露数据

There is a tiny but good book on this topic: Essential PHP Security by Chris Shiflett.

有一本关于这个主题的小而好书：Chris Shiflett 的 Essential PHP Security。

Essential PHP Security http://shiflett.org/images/essential-php-security-small.png

基本的 PHP 安全 http://shiflett.org/images/essential-php-security-small.png

On the home page of the book you will find some interesting code examples and sample chapters.

在本书的主页上，您会发现一些有趣的代码示例和示例章节。

You may use technique mentioned above (IP & UserAgent), described here: How to avoid identity theft

您可以使用上面提到的技术（IP 和 UserAgent），描述如下：如何避免身份盗用

This session fixation paperhas very good pointers where attack may come. See also session fixation page at Wikipedia.

这个会话固定文件有很好的指示，攻击可能会到来。另请参阅Wikipedia 上的会话固定页面。

Using IP address isn't really the best idea in my experience. For example; my office has two IP addresses that get used depending on load and we constantly run into issues using IP addresses.

根据我的经验，使用 IP 地址并不是最好的主意。例如; 我的办公室有两个根据负载使用的 IP 地址，我们经常遇到使用 IP 地址的问题。

Instead, I've opted for storing the sessions in a separate database for the domains on my servers. This way no one on the file system has access to that session info. This was really helpful with phpBB before 3.0 (they've since fixed this) but it's still a good idea I think.

相反，我选择将会话存储在服务器上域的单独数据库中。这样，文件系统上的任何人都无法访问该会话信息。这对 3.0 之前的 phpBB 真的很有帮助（他们已经解决了这个问题），但我认为这仍然是一个好主意。

This is pretty trivial and obvious, but be sure to session_destroyafter every use. This can be difficult to implement if the user does not log out explicitly, so a timer can be set to do this.

这是非常简单和明显的，但一定要在每次使用后session_destroy。如果用户没有明确注销，这可能很难实现，因此可以设置计时器来执行此操作。

Here is a good tutorialon setTimer() and clearTimer().

这是一个关于 setTimer() 和 clearTimer()的好教程。

The main problem with PHP sessions and security (besides session hiHymaning) comes with what environment you are in. By default PHP stores the session data in a file in the OS's temp directory. Without any special thought or planning this is a world readable directory so all of your session information is public to anyone with access to the server.

PHP 会话和安全性（除了会话劫持）的主要问题在于您所处的环境。默认情况下，PHP 将会话数据存储在操作系统临时目录中的文件中。没有任何特别的想法或计划，这是一个世界可读的目录，因此您的所有会话信息对任何有权访问服务器的人都是公开的。

As for maintaining sessions over multiple servers. At that point it would be better to switch PHP to user handled sessions where it calls your provided functions to CRUD (create, read, update, delete) the session data. At that point you could store the session information in a database or memcache like solution so that all application servers have access to the data.

至于在多个服务器上维护会话。在这一点上，最好将 PHP 切换到用户处理的会话，它会调用您提供的函数来 CRUD（创建、读取、更新、删除）会话数据。此时，您可以将会话信息存储在数据库或类似内存缓存的解决方案中，以便所有应用程序服务器都可以访问数据。

Storing your own sessions may also be advantageous if you are on a shared server because it will let you store it in the database which you often times have more control over then the filesystem.

如果您在共享服务器上，存储您自己的会话也可能是有利的，因为它可以让您将其存储在数据库中，而您通常对文件系统有更多的控制权。

I set my sessions up like this-

我这样设置我的会话-

on the log in page:

在登录页面：

$_SESSION['fingerprint'] = md5($_SERVER['HTTP_USER_AGENT'] . PHRASE . $_SERVER['REMOTE_ADDR']);

(phrase defined on a config page)

（在配置页面上定义的短语）

then on the header that is throughout the rest of the site:

然后在整个网站其余部分的标题上：

session_start();
if ($_SESSION['fingerprint'] != md5($_SERVER['HTTP_USER_AGENT'] . PHRASE . $_SERVER['REMOTE_ADDR'])) {       
    session_destroy();
    header('Location: http://website login page/');
    exit();     
}

php.ini

配置文件

session.cookie_httponly = 1
change session name from default PHPSESSID

eq Apache add header:

eq Apache 添加标头：

X-XSS-Protection    1