我们可以破解仅将用户名存储为会话变量的网站吗? [英] Can we hack a site that just stores the username as a session variable?

问题描述

我已经开发了一个网站，该网站可以检查用户是否已注册，并使用用户名创建会话变量.所有这些都存储为会话变量.如果要保护我的页面(以便只有注册用户可以看到它们)，请检查是否设置了会话变量. 这样安全吗? 还是可以提供一种更安全的方法?

I've developed my website that checks if the user is registered and creates a session variable with the username. It's all that is stored as a session variable. If I want to protect my pages (so that only registered users may see them), I check if the session variable is set. Is this secure? Or can you give a more secure method?

推荐答案

通常，会话是服务器端的，但是如果我以某种方式获得会话ID，我就可以劫持它.

Generally, the Session is server side, but If I somehow get the Session ID I can just hijack it.

我建议至少存储IP或用户代理，并在不匹配的情况下使会话无效.

I'd recommend at least storing either the IP and maybe also the User-Agent, and in case of mismatch, invalidate the Session.

这篇关于我们可以破解仅将用户名存储为会话变量的网站吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！