PHP Can a client ever set $_SESSION variables?

2019-02-04 10:23发布

问题:

Is there any scenario where a client/user/hacker can set $_SESSION variables themselves (excluding malicious software running on a server computer. I mostly mean via the browser)?

The reason I ask is because of this question that I asked a few days ago. Since then I have become pretty confused on the subject, but I've got a better idea of session fixation and hijacking.

To put it as simply as possible, if I validate every page with something like isset($_SESSION['validated']), is it secure?

回答1:

Yes if you were assigning $_SESSION variables directly to unfiltered user input.

Which brings me to my point: NEVER TRUST INPUT FROM THE USER. EVER

If indeed you are filtering the input, then I don't see how it could be done.



回答2:

I don't think $_SESSION variables can be changed unless the user has server access otherwise no they can't change it but filtering the variables or sanitizing it is recommended if it is something the user enters.



回答3:

Yes, it's possible. Read about Session poisoning and another quite common security issue Session fixation on Wikipedia or Google it - the web is full of articles about that.



回答4:

I do not quite understand the question, but this question explains my way of what I think that you want to do.

Make sure that you include jQuery.

Code:

<html>
<head>
  <title>Tab name</title>
  <meta charset = "UTF-8" />
  <script type = "text/javascript" src = "http://code.jquery.com/jquery-1.1.13.min.js"></script>
  <script type = "text/javascript" src = "script.js"></script>
</head>
<body>
</body>

</html>

Then make a file called addsession.php.

Code for addsession.php:

<?php session_start(); ?>
<?php
  if(isset($_POST["name"])){
    $name = $_POST["name"];
  } else {
    print '<p style = "color: red; font-weight: bold;">Name not defined!</p>' . "\n";
    $name = "unknownsessionvariable";
  }
  if(isset($_POST["value"])){
    $value = $_POST["value"];
  } else {
    $value = "";
  }
  $_SESSION[name] = value;
?>

Code for script.js:

function session(name, value){
  $.post(addsession.php, {"name" : name, "value" : value});
  window.location.reload(); // This line maybe should be here depending on what you are doing.
}
$(document).ready(function(){
  session("sessvar", "supervalue");
});

Example code snippet:

function session(name, value){
  $.post("http://www.eastonwerling.com/addsession.php", {"name" : name, "value" : value});
  //window.location.reload();
$(document).ready(function(){
  session("sessvar", "supervalue");
});
<script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
<p>This example depends on www.eastonwerling.com (my website).</p>



标签: php security