问题描述
在任何情况下,客户端/用户/黑客都可以自行设置$_SESSION
变量(不包括运行在服务器计算机上的恶意软件.我的主要意思是通过浏览器)?
Is there any scenario where a client/user/hacker can set $_SESSION
variables themselves (excluding malicious software running on a server computer. I mostly mean via the browser)?
我问的原因是因为这个问题前几天问.从那时起,我对这个话题变得非常困惑,但是我对会话固定和劫持有了一个更好的主意.
The reason I ask is because of this question that I asked a few days ago. Since then I have become pretty confused on the subject, but I've got a better idea of session fixation and hijacking.
为了尽可能简单,如果我使用isset($_SESSION['validated'])
之类的方法验证每个页面,它是否安全?
To put it as simply as possible, if I validate every page with something like isset($_SESSION['validated'])
, is it secure?
推荐答案
是的,如果您是直接将$_SESSION
变量分配给未过滤的用户输入.
Yes if you were assigning $_SESSION
variables directly to unfiltered user input.
这带给我了我的意思:从不信任用户的输入.永远
Which brings me to my point: NEVER TRUST INPUT FROM THE USER. EVER
如果确实要过滤输入,那么我不知道该怎么做.
If indeed you are filtering the input, then I don't see how it could be done.
这篇关于PHP客户端可以设置$ _SESSION变量吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!