发表新帖
发表新帖

Php session fixation example and fixes

后端 未结
关注
4 1037
礼貌的吻别
礼貌的吻别 2021-01-14 02:29

My question is about this summary on session fixation:

  • Alice has an account at the bank http://unsafe.com/. Unfortunately, Alice is not very security savvy.

4条回答
  • 遥遥无期
    遥遥无期 (楼主)
    2021-01-14 03:20

    I don't fully understand, is this a really problem?

    Q1. I think you need to check is there are a SID recieved from GET of COOKIE in you Session storage already (for example, in database). If YES - its'okay, if no, create a new one on server side and do http redirect with new SID.

    Q2. I don't use a php 5.4 but i think the following code will help:

    unset($_GET['sid'])

    Update: I think the common fix is than only the backend-server can generate a SID identifiers. No user posibilites for this!

    0 讨论(0)
 看不清?
提交回复
热议问题