{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 狗以群分 的问题《Is it possible to modify the $_SESSION variable?》','https://www.manongdao.com/q-560931.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Is it possible for an malicious user to set the $_SESSION (in php) variable to any value he wants?
相关问题
- Views base64 encoded blob in HTML with PHP
- Angular RxJS mergeMap types
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
No, not if your code is correct and doesn't allow to set values based on unverified userinput.
Unless you have done something wrong in your code he cant set it on your server, what he can do is steal some other users session cookie and get in that way... in other words; he can change his own session cookie that your $_SESSION use to identify him
Yes. If you use something from a cookie or another similar request method that a user can edit to interact with the session then there is a change. For example say you make an online store and store the item id's in the cookie and on page refresh pushes it into the session. While on the page a user can edit the cookies so when it goes into the session it have been modified.
It depends on how you set the sessions variable. An user can exploit the way you set them.
The most common attacks with sessions is session fixation : http://en.wikipedia.org/wiki/Session_fixation
Highly depends on your code. Something very obvious:
$_SESSION['username'] = $_REQUEST['username'].If you provide a means for him to do so (bad/insecure code), it is possible. However, this is generally unlikely.