Part of the security check I set up is the random generation of an integer as a security token stored as a $_SESSION
variable. This is validated through specific scripts and sets a boolean to true or false depending on if it's been validated (allowing entry to the site if other checks are passed). Is it possible for a hacker to somehow set this session variable? If so, how?
Only if you let them, like Joomla did (see also: the write-up for CVE-2015-8562 ).
If your application doesn't let attackers control the contents of the $_SESSION
superglobal, then they quite simply cannot control them. Out of the box, this cannot happen.
Other ways an attacker can control the contents of $_SESSION
:
But in general, no.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.