$ _SESSION数组的安全性 [英] Security of $_SESSION array
问题描述
低权限非管理员用户成功登录我的Web应用程序时,我将以下数据存储在$_SESSION数组中:
When a low-privilege non-administrator user logs into my web app successfully, I am storing the following data in the $_SESSION array:
$_SESSION = array(
'user_id' => 2343, // whatever their user_id number is from the DB
'allow_admin' => false, // don't give them access to admin tools
'allow_edit' => false, // don't let them edit stuff
);
除了以某种方式在/tmp中编辑会话文件之外,他们是否可以通过其他任何方式来操纵$_SESSION数组以赋予其Admin或Edit访问权限? (上面的代码是将这些项目添加到$_SESSION的唯一位置)
Is there any way that they could manipulate the $_SESSION array to give them Admin or Edit access, apart from somehow editing the session files in /tmp? (The above code is the only place where those items are added to $_SESSION)
推荐答案
会话的内容仅在服务器端可见和可修改.
The contents of the session are only visible and modifiable on the server side.
如果您的应用程序或服务器包含某些漏洞,则只能以未经授权"的方式对其进行修改.
They could only be modified in an "unauthorized" way if your application or server contains some vulnerability.
您还应该注意会话固定攻击一个特定的会话ID到一个毫无戒心的用户上,该用户在登录并提升该会话的特权时,允许攻击者共享该会话.
You should also be aware of such things as session fixation attacks, where an attacker forces a particular session id onto an unsuspecting user, who when logs in and elevates that session's privileges, allowing an attacker to share that session.
缓解这些问题的一种方法是重新生成会话ID 每当您更改会话的特权级别时.
One approach to mitigating these is to regenerate the session id whenever you change privilege levels of the session.
另请参阅此问题:
这篇关于$ _SESSION数组的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
