Laravel会话变量安全吗? [英] Are Laravel session variables secure?
问题描述
最终用户是否有任何(已知的)编辑Laravel会话变量的方法?
Is there any (known) way for end users to edit a Laravel session variable?
推荐答案
最终用户是否有任何(已知的)编辑Laravel 4会话变量的方法?
Is there any (known) way for end users to edit a Laravel 4 session variable?
是的,但是只有在您竭尽所能的情况下才可以.所需的步骤是:
Yes there is, but only if you go out of your way to make it possible. The steps required are:
- 使用cookie驱动程序进行会话(它将所有会话数据存储到cookie中,而不是简单地将标识符存储在cookie中并保留服务器端的实际数据). 我通常建议不要将会话状态存储在Cookie .
- 关闭会话加密,文档强烈建议不要这样做.
如果您执行这些不明智的步骤,除了允许用户覆盖会话数据外,此是通过unserialize() 注入PHP对象的风险.
If you do these ill-advised steps, in addition to allowing users to overwrite session data, this is a risk for PHP object injection via unserialize().
建议:如果要将会话状态存储在cookie中,请确保将其包装在
Advice: If you are going to store session state in a cookie, make sure it's wrapped in authenticated encryption. Laravel's encryption library employs authenticated encryption (Encrypt then MAC), and the sessions use this by default.
对于其他驱动程序,这取决于您的网络拓扑.如果您的数据库位于另一台服务器上,并且攻击者可以假冒该Web服务器,则他们可以将所需的任何内容放入数据库中.
As for the other drivers, that depends on your network topology. If your database is on another server and your attacker can impersonate the web server, they can put whatever they want in the database.
上次检查时,Laravel默认加密会话数据(除非您禁用加密).除非您的数据库与Web服务器位于同一主机上,否则请保持打开状态.
Last I checked, Laravel defaults to encrypt session data (unless you disable encryption). Unless your database is on the same host as the webserver, leave it turned on.
这篇关于Laravel会话变量安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
