在 GoDaddy (PHP) 上劫持会话变量有多容易 [英] How Easy Is It to Hijack Session Vars on GoDaddy (PHP)
问题描述
这篇文章指出
如果您的网站在共享网站上运行服务器,请注意任何会话任何人都可以轻松查看变量同一服务器上的其他用户.
If your site is run on a shared Web server, be aware that any session variables can easily be viewed by any other users on the same server.
在像 GoDaddy 这样的大型主机上,真的没有针对此的保护措施吗?真的有那么容易吗?如果这么简单,我的主机上其他用户的会话变量在哪里,以便我可以查看它们?
On a larger host like GoDaddy, are there really no protections in place against this? Could it really be that easy? If it is that easy, where are the session vars of the other users on my host so I can check them out?
推荐答案
这非常简单,因为默认情况下 php.ini#session.save_path 指向 /tmp 在 Linux 安装和类似的 Windows.这很糟糕,因为大多数用户都拥有对 /tmp 的读写权限,因为他们需要它们.您可以通过将会话状态存储在数据库中或更改 PHP 应用程序是否存储会话文件来防止这种情况发生,使用 session_save_path
It is ridiculously easy because by default php.ini#session.save_path points to /tmp on Linux installs and similar for Windows. This is bad because most users have read and write privileges to /tmp because they need them. You can protect against this by storing your sesion state in the database or by changing were your PHP application stores it's session files, using session_save_path
这篇关于在 GoDaddy (PHP) 上劫持会话变量有多容易的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
