发表新帖
发表新帖

PHP Can a client ever set $_SESSION variables?

后端 未结
关注
4 967
谎友^
谎友^ 2020-12-30 00:48

Is there any scenario where a client/user/hacker can set $_SESSION variables themselves (excluding malicious software running on a server computer. I mostly mea

相关标签:
4条回答
  • 小鲜肉
    2020-12-30 00:55

    I don't think $_SESSION variables can be changed unless the user has server access otherwise no they can't change it but filtering the variables or sanitizing it is recommended if it is something the user enters.

    0 讨论(0)
  • 臣服心动
    2020-12-30 00:57

    Yes, it's possible. Read about Session poisoning and another quite common security issue Session fixation on Wikipedia or Google it - the web is full of articles about that.

    0 讨论(0)
  • 慢半拍i
    2020-12-30 00:59

    I do not quite understand the question, but this question explains my way of what I think that you want to do.

    Make sure that you include jQuery.

    Code:

    <html>
<head>
  <title>Tab name</title>
  <meta charset = "UTF-8" />
  <script type = "text/javascript" src = "http://code.jquery.com/jquery-1.1.13.min.js"></script>
  <script type = "text/javascript" src = "script.js"></script>
</head>
<body>
</body>

</html>

    Then make a file called addsession.php.

    Code for addsession.php:

    <?php session_start(); ?>
<?php
  if(isset($_POST["name"])){
    $name = $_POST["name"];
  } else {
    print '<p style = "color: red; font-weight: bold;">Name not defined!</p>' . "\n";
    $name = "unknownsessionvariable";
  }
  if(isset($_POST["value"])){
    $value = $_POST["value"];
  } else {
    $value = "";
  }
  $_SESSION[name] = value;
?>

    Code for script.js:

    function session(name, value){
  $.post(addsession.php, {"name" : name, "value" : value});
  window.location.reload(); // This line maybe should be here depending on what you are doing.
}
$(document).ready(function(){
  session("sessvar", "supervalue");
});

    Example code snippet: 

    function session(name, value){
  $.post("http://www.eastonwerling.com/addsession.php", {"name" : name, "value" : value});
  //window.location.reload();
$(document).ready(function(){
  session("sessvar", "supervalue");
});
    <script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
<p>This example depends on www.eastonwerling.com (my website).</p>

    0 讨论(0)
  • 被撕碎了的回忆
    2020-12-30 01:02

    Yes if you were assigning $_SESSION variables directly to unfiltered user input.

    Which brings me to my point: NEVER TRUST INPUT FROM THE USER. EVER

    If indeed you are filtering the input, then I don't see how it could be done.

    0 讨论(0)
 看不清?
提交回复
热议问题