问题描述

在任何情况下，客户端/用户/黑客都可以自行设置$_SESSION变量(不包括运行在服务器计算机上的恶意软件.我的主要意思是通过浏览器)?

Is there any scenario where a client/user/hacker can set $_SESSION variables themselves (excluding malicious software running on a server computer. I mostly mean via the browser)?

我问的原因是因为这个问题前几天问.从那时起，我对这个话题变得非常困惑，但是我对会话固定和劫持有了一个更好的主意.

The reason I ask is because of this question that I asked a few days ago. Since then I have become pretty confused on the subject, but I've got a better idea of session fixation and hijacking.

为了尽可能简单，如果我使用isset($_SESSION['validated'])之类的方法验证每个页面，它是否安全?

To put it as simply as possible, if I validate every page with something like isset($_SESSION['validated']), is it secure?

推荐答案

是的，如果您是直接将$_SESSION变量分配给未过滤的用户输入.

Yes if you were assigning $_SESSION variables directly to unfiltered user input.

这带给我了我的意思:从不信任用户的输入.永远

Which brings me to my point: NEVER TRUST INPUT FROM THE USER. EVER

如果确实要过滤输入，那么我不知道该怎么做.

If indeed you are filtering the input, then I don't see how it could be done.

这篇关于PHP客户端可以设置$ _SESSION变量吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！