douya6606
douya6606
2017-04-30 23:46
浏览 70
已采纳

向服务器呈现会话ID会导致会话固定

Consider my code below:

<?php
session_start();

if(!isset($_SESSION['count'])) $_SESSION['count']=0;
else ++$_SESSION['count'];

echo $_SESSION['count'];
?>

when i call it up on my browser http://localhost/user_login.php?PHPSESSID=1234

when i press reload a few times I see that my counter its increasing, however when i type

http://localhost/user_login.php?PHPSESSID=5678

and reaload a few times I see that it count up again from 0.

When i leave the counter on a different number than the first url and then go back to the first url i see that the number changes back again!! It seems that I have created two different sessions and I could even create more this way !!! Is there any way to prevent from happeneing ?

图片转代码服务由CSDN问答提供 功能建议

请考虑下面的代码:

 &lt;?php \  nsession_start(); 
 
if(!isset($ _ SESSION ['count']))$ _SESSION ['count'] = 0; 
else ++ $ _ SESSION ['count']; 
 
echo $ _SESSION [  'count']; 
?&gt; 
   
 
 

当我在浏览器上调用它时 http://localhost/user_login.php?PHPSESSID = 1234

当我按下重新加载几次时,我看到我的计数器增加了,但是当我输入

http时 ://localhost/user_login.php?PHPSESSID = 5678

并重新实现几次,我看到它从0开始重新计数。

当我将计数器留在与第一个网址不同的数字上然后返回第一个网址时,我看到该数字再次变回!! 似乎我创建了两个不同的会话,我甚至可以创建更多这样的方式! 有没有办法防止发生?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dougai2427
    dougai2427 2017-05-01 01:29
    已采纳

    This approach it's very dangerous the attacker would be able to take over any sessions that has not been deleted or expired.

    To prevent this, add a simple check to change the session ID using session_regenerate_id.

    This function keeps all current session variable values, but replaces the session ID with a new one that an attacker can not know.

    To do this, check for a special session variable that you arbitrarily invent. If it doesnt exists, you know that this is a new session, so you simply change the session ID and set the special session variable to note the change

    Code:

        <?php
    session_start();
    
    if(!isset($_SESSION['initiated'])){
        session_regenerate_id();
        $_SESSION['initiated']=1;
    }
    if(!isset($_SESSION['count'])) $_SESSION['count']=0;
    else ++$_SESSION['count'];
    
    echo $_SESSION['count'];
    ?>
    

    If you want to be ultra paranoid you can even regenerate the session ID on each request.

    点赞 评论

相关推荐