问题
I am currently doing a website in php, we are using a Session variable to store the permission level of each user.
For example, if any one of you would go on the website, you would automatically get a session variable with a value of "member".
What I am asking is: Is it possible for an attacker to go on the website and modify the value of the session variable for "admin" instead of "member"
I am not asking how, just if it is possible, and if so what kind of special access would the attacker would need (ex: access to the code, ....)
I have an alternative solution, which would be to replace the permission value with a token that would expire over time.
The second solution is way longer to implement.
Thanks for your help!
回答1:
No, unless:
- The attacker had access to the storage of the session variables (usually the filesystem of the server, but could also be e.g. a database)
- The attacker intercepted a session cookie of a more privileged user.
- The attacker successful fixated the session of a more privileged user (see session fixation attacks).
回答2:
From what you've described I assume you aren't storing the permission in a cookie. Therefore, the only way they could get access would be to guess/brute force an administrators session id or use some cross-site scripting attack. If your session id's are sufficiently long the first method would be very hard to accomplish.
回答3:
The higher risk comes from an attacker stealing an active session, you can find about it here:
- http://samy.pl/
- http://samy.pl/phpwn/
回答4:
Your session variables should be safe because the session is stored on the server. However, in order to relate a specific client with a specific session, a cookie is usually set that contains a session ID, and an attacker could try to access a different user's session by munging their session ID cookie (either by brute force or by somehow capturing someone else's cookie).
回答5:
It depends on how you are storing the session. If it is in the URL, then yes. If it is in a cookie, then maybe.
回答6:
Unless there's a security flaw in your app, someone can't just up and change session variables -- those are stored on the server, and the client never has direct access to them.
What they can do, however, is change their session ID by going to a URL like http://your.site.com/?PHPSESSID=2342f24502ade525 . The potential for abuse there is twofold: (1) if they happened to know a logged-in user's session ID somehow, the session ID would let them impersonate that user, giving them all the access that user has; and (2) If they can trick someone into going to a URL that has a session ID attached, and that person logs in, they now know that user's session ID (because they provided it!), and we're back to (1).
来源:https://stackoverflow.com/questions/3443677/is-it-possible-to-pirate-a-session-variable-i-do-not-want-to-know-how