douweng7083 2016-04-13 18:53
浏览 10
已采纳

$ _SESSION [] vars可利用

I'm developing an admin system for custom CMS. On all my pages which are part of the admin site I use a check_user() function. The check_user() function only does this:

function check_user()
{
    session_start();

    if ($_SESSION['username'] == "admin") {

    } else {
        header("location:admin.php");
    }
}

Though it seems a bit simple, is this enough to keep away unwanted members from the site? How exploitable is $_SESSION[] vars are? Any suggestions to improve this function?

Thanks in advance!

  • 写回答

1条回答 默认 最新

  • doudouji2016 2016-04-13 19:02
    关注

    In the given code, $_SESSION is not exploitable IF register_globals is off (which on all latest installs will be off... but just to be sure)

    Although depending on how these session parameters are set, it could be exploited. (i.e. using request parameters as keys in the session variable for example)

    To improve on this code, i would suggest to always start a session, independent of the check_user call. This enables you to reuse the check_user.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 孟德尔随机化结果不一致
  • ¥15 深度学习残差模块模型
  • ¥50 怎么判断同步时序逻辑电路和异步时序逻辑电路
  • ¥15 差动电流二次谐波的含量Matlab计算
  • ¥15 Can/caned 总线错误问题,错误显示控制器要发1,结果总线检测到0
  • ¥15 C#如何调用串口数据
  • ¥15 MATLAB与单片机串口通信
  • ¥15 L76k模块的GPS的使用
  • ¥15 请帮我看一看数电项目如何设计
  • ¥23 (标签-bug|关键词-密码错误加密)