[英]Can a hacker set a PHP session variable?
Part of the security check I set up is the random generation of an integer as a security token stored as a $_SESSION
variable. 我设置的安全检查的一部分是随机生成一个整数,作为安全令牌存储为$_SESSION
变量。 This is validated through specific scripts and sets a boolean to true or false depending on if it's been validated (allowing entry to the site if other checks are passed). 这可以通过特定的脚本进行验证,并根据是否通过验证将布尔值设置为true或false(如果通过了其他检查,则允许输入该站点)。 Is it possible for a hacker to somehow set this session variable? 黑客有可能以某种方式设置此会话变量吗? If so, how? 如果是这样,怎么办?
Only if you let them, like Joomla did (see also: the write-up for CVE-2015-8562 ). 仅在您像Joomla那样允许它们时才这样做 (另请参见: CVE-2015-8562的文章 )。
If your application doesn't let attackers control the contents of the $_SESSION
superglobal, then they quite simply cannot control them. 如果您的应用程序不让攻击者控制$_SESSION
超全局变量的内容,那么他们就完全无法控制它们。 Out of the box, this cannot happen. 开箱即用,这不可能发生。
Other ways an attacker can control the contents of $_SESSION
: 攻击者可以其他方式控制$_SESSION
的内容:
But in general, no. 但总的来说,没有。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.