Can a hacker set a PHP session variable?
Question
Part of the security check I set up is the random generation of an integer as a security token stored as a $_SESSION variable. This is validated through specific scripts and sets a boolean to true or false depending on if it's been validated (allowing entry to the site if other checks are passed). Is it possible for a hacker to somehow set this session variable? If so, how?
1 answers
solution1
1 2016-03-08 19:52:56
Only if you let them, like Joomla did (see also: the write-up for CVE-2015-8562 ).
If your application doesn't let attackers control the contents of the $_SESSION superglobal, then they quite simply cannot control them. Out of the box, this cannot happen.
Other ways an attacker can control the contents of $_SESSION :
- You store session data in a database driver, and you fail to connect to it over TLS or SSH.
- You serialize and store session data in a cookie, then fail to properly implement cryptographically secure message authentication.
But in general, no.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.