Can Anyone bypass my Login page if they can bypass it how they well do it
<?php
session_start();
if(isset($_SESSION['login']) == "Owner" or isset($_SESSION['login']) == "admin"){
echo 'login In';
}
?>
绕过会话验证php
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
分享- 邀请回答
-
1条回答 默认 最新
- douci4026 2019-03-13 20:05关注
Storing the login status in the session variable is certainly a decently secure thing to do, however, it's not sufficient all by itself. If someone was able to access the session tables, (which is apparently doable in a shared hosting environment) and find the session ID of someone who is logged in, they could hijack the session. So more security is needed. (Google "Session Hijacking" for more information on what it is and how it's done)
I'm no security expert, but a few things I've done include recording their IP address and Client data, and checking those on each page load. If they're suddenly coming from a different IP address or using a different browser, then I log them out right away. However, as @Barmar noted, mobile devices can change IP addresses during a session, so this is probably not a good practice.
It would also be important to be using a secure connection (https) over TLS. If not, a man-in-the-middle could simply watch the packets going back and forth, pick up the username and password, and log in for themselves.
解决 无用评论 打赏举报 分享
- 2015-11-25 17:09回答 3 已采纳 The issue was with permissions on the session save path. I changed the path to where both director
- 2016-05-11 11:32回答 2 已采纳 If I understand your problem, multiple product amounts are being submitted, and you want to valida
- 2019-03-07 11:29回答 1 已采纳 Unless you do these session read/write operations millions of times (e.g. in a loop) you shouldn't
- 2021-04-29 05:09weixin_32459211的博客 在Web应用中,登录状态通常是通过Cookie中对应的session id验证的。也是就是说,我们只要携带上登录后的Cookies,浏览器就会自动识别我们为登录状态。由于Selenium每次启动的浏览器是一个隔离的环境,不能直接使用...
- 回答 3 已采纳 Operator [] adds a new element to array. To get elements for foreach loop you have to use it with
- 2018-08-17 09:28回答 2 已采纳 session_start() must be the second thing on your page after <?php. HTML tags must be placed aft
- 2019-02-04 15:31回答 1 已采纳 The problem is not about LDAP, the problem is about HTTP. HTTP is a stateless protocol whereas LD
- 2021-04-24 14:24龟与神经贱的博客 本文给大家介绍通过Cookie跳转过验证码,今天,就详细的介绍一下cookie绕过验证码登录的实现代码。#coding:utf-8'''cookie绕过验证码登录,第一步先访问登录页面获取登录前的cookie,第二步用fiddler抓到的手动登录...
- 回答 2 已采纳 I saw two vulnerabilities: 1) CSRF (using variable directly from get method ) 2) Exit not used a
- 2011-02-10 16:08回答 4 已采纳 About security: You describe the hijack risk yourself quite well. More important is the question o
- 2017-11-21 17:01回答 1 已采纳 Since they share the same domain, they are the same site and share a session. You can manually ov
- 2023-02-27 18:09田小涛的博客 解决方式 开启请求会话并且挂载适配器 import requests import json from requests.adapters import HTTPAdapter from urllib3.util.ssl_ import create_urllib3_context class CipherAdapter(HTTPAdapter): def ...
- 2017-02-22 09:59回答 3 已采纳 No, the session garbage collection is managed by the system, based on the session.gc_maxlifetime
- 2021-04-12 23:13逆光的温暖的博客 本文主要给大家介绍通过Cookie跳转过验证码,今天,就详细的介绍一下cookie绕过验证码登录的实现代码。希望能帮助到大家。#coding:utf-8'''cookie绕过验证码登录,第一步先访问登录页面获取登录前的cookie,第二步用...
- 2023-02-13 14:38Almond_02的博客 PHP 提供了用于处理用户身份验证和会话的内置函数和功能,这是登录系统的基本组件。这些功能允许您安全地存储和验证用户凭据,并在用户与您的网站或应用程序的交互过程中维护用户会话。还有许多 PHP 框架和库可用,...
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 oracle集群安装出bug
- ¥15 关于#python#的问题:自动化测试
- ¥20 问题请教!vue项目关于Nginx配置nonce安全策略的问题
- ¥15 教务系统账号被盗号如何追溯设备
- ¥20 delta降尺度方法,未来数据怎么降尺度
- ¥15 c# 使用NPOI快速将datatable数据导入excel中指定sheet,要求快速高效
- ¥15 再不同版本的系统上,TCP传输速度不一致
- ¥15 高德地图2.0 版本点聚合中Marker的位置无法实时更新,如何解决呢?
- ¥15 DIFY API Endpoint 问题。
- ¥20 sub地址DHCP问题