是否有可能“盗版"?一个会话变量(我不想知道如何) [英] Is it possible to "pirate" a session variable (I do not want to know how)
问题描述
我目前正在用php做一个网站,我们使用一个Session变量来存储每个用户的权限级别.
I am currently doing a website in php, we are using a Session variable to store the permission level of each user.
例如,如果你们中的任何人访问该网站,您将自动获得一个值为成员"的会话变量.
For example, if any one of you would go on the website, you would automatically get a session variable with a value of "member".
我想问的是:攻击者是否有可能访问网站并修改admin"而不是member"的会话变量的值
What I am asking is: Is it possible for an attacker to go on the website and modify the value of the session variable for "admin" instead of "member"
我不是问如何,只是问是否可能,如果可能,攻击者需要什么样的特殊访问权限(例如:访问代码,......)
I am not asking how, just if it is possible, and if so what kind of special access would the attacker would need (ex: access to the code, ....)
我有一个替代解决方案,即用一个会随着时间过期的令牌替换权限值.
I have an alternative solution, which would be to replace the permission value with a token that would expire over time.
第二种解决方案的实施时间要长得多.
The second solution is way longer to implement.
感谢您的帮助!
推荐答案
否,除非:
- 攻击者可以访问会话变量的存储(通常是服务器的文件系统,但也可以是例如数据库)
- 攻击者拦截了一个更高权限用户的会话 cookie.
- 攻击者成功地锁定了更高特权用户的会话(请参阅会话固定).
这篇关于是否有可能“盗版"?一个会话变量(我不想知道如何)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!