douyanzan9145 2012-08-21 22:07
浏览 45
已采纳

更改session_name()是否真的有助于防止会话劫持?

These questions are related: one and two, the former says it's used to prevent name conflict between apps in the same domain. The latter says it can be used for anti-session hijacking.

While the former appears to be the real purpose of session_name(), I am not sure about the latter. Does it really protect against session hijacking? I think it can confuse the attacker in finding out cookie names instead of the default PHPSESSID but is that all?

What's the real purpose of session_name() ?

  • 写回答

2条回答 默认 最新

  • drxp993551 2012-08-21 22:21
    关注

    Does it really protect against session hijacking?

    No. It is trivial for an attacker to visit your site and see what session name you are using instead of the default (simply by viewing the headers), so this function doesn't really provide any session hijacking protection. Its purpose is to allow you to change the default PHPSESSID to something else, or avoid collisions between apps on the same domain.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 Arcgis相交分析无法绘制一个或多个图形
  • ¥15 seatunnel-web使用SQL组件时候后台报错,无法找到表格
  • ¥15 fpga自动售货机数码管(相关搜索:数字时钟)
  • ¥15 用前端向数据库插入数据,通过debug发现数据能走到后端,但是放行之后就会提示错误
  • ¥30 3天&7天&&15天&销量如何统计同一行
  • ¥30 帮我写一段可以读取LD2450数据并计算距离的Arduino代码
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题
  • ¥20 云服务Linux系统TCP-MSS值修改?
  • ¥20 关于#单片机#的问题:项目:使用模拟iic与ov2640通讯环境:F407问题:读取的ID号总是0xff,自己调了调发现在读从机数据时,SDA线上并未有信号变化(语言-c语言)