dqrl3595
2011-10-06 07:18
浏览 18
已采纳

有没有机会破解codeigniter会话? [关闭]

currently i am working with CI. i am using the CI session library it saves all session values in a cookie. is there any possibilities to hack this(session variables) by using plugin like web developer in mozilla.

图片转代码服务由CSDN问答提供 功能建议

目前我正在使用CI。 我正在使用CI会话库,它将所有会话值保存在cookie中。 是否有任何可能通过在Mozilla中使用像web开发人员这样的插件来破解这个(会话变量)。

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • doubengshao8872 2011-10-06 07:27
    已采纳

    By default, sessions are made by 4 infos:

    1. The user's unique Session ID (this is a statistically random string with very strong entropy, hashed with MD5 for portability, and regenerated (by default) every five minutes)
    2. The user's IP Address
    3. The user's User Agent data (the first 120 characters of the browser data string)
    4. The "last activity" time stamp.

    Plus your own session datas, of course. 3 of this four datas don't need to be secure, while the first should be quite reliable, even though using MD5, I didn't dive into the code to actually see if it is so (and I'm no security expert). The security level of the latter infos depends on what kind of information you're storing there, and how well you treat them before storing.

    You can also decide to store sessions using the database instead, which will be a safer option (provided you don't screw up allowing sql injections!).

    Note also that:

    If you have the encryption option enabled, the serialized array will be encrypted before being stored in the cookie, making the data highly secure and impervious to being read or altered by someone. More info regarding encryption can be found here, although the Session class will take care of initializing and encrypting the data automatically.

    So well, they should be quite secure; if you don't trust them enough, you're free to hash or encrypt your data how much you want, or still make use of PHP native Sessions without problems.

    已采纳该答案
    打赏 评论
  • dongwen5336 2011-10-06 07:21

    It all depends on what sort of information you actually end up storing in the cookies. If there is a $_COOKIE['is_admin'] with value "false" .. well ..

    Essentially you have to examine information you actually store on the user's computer. Usually for the sessions it only stores the PHPSESSID, which contains a hash and the rest of values stay on the server.

    打赏 评论