发表新帖
发表新帖

Php session fixation example and fixes

后端 未结
关注
4 1060
礼貌的吻别
礼貌的吻别 2021-01-14 02:29

My question is about this summary on session fixation:

  • Alice has an account at the bank http://unsafe.com/. Unfortunately, Alice is not very security savvy.

4条回答
  • 轮回少年
    轮回少年 (楼主)
    2021-01-14 03:06

    Question 1) If your application needs a session, you will have to send some kind of session id. If your application doesn't use sessions, then there is no need to call session_start(), and ids (whether sent by URL or cookie) are simply not used.

    Question 2) You can configure PHP, to accept session ids exclusively from cookies, and to ignore ids from the URL (see session.use_only_cookies). If you do that, you should also check, that the option session.use_trans_sid is set to 0 (this is the default).

    0 讨论(0)
 看不清?
提交回复
热议问题