Is there any chance to hack codeigniter sessions? [closed]_问答_开发者

Is there any chance to hack codeigniter sessions? [closed]

开发者 https://www.devze.com 2023-04-10 21:03 出处：网络

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references,or expertise, but this question will likely solicit debate, a

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 10 years ago.

currently i am working with CI. i am using the CI session library it saves all session values in a开发者_运维百科 cookie. is there any possibilities to hack this(session variables) by using plugin like web developer in mozilla.

By default, sessions are made by 4 infos:

The user's unique Session ID (this is a statistically random string with very strong entropy, hashed with MD5 for portability, and regenerated (by default) every five minutes)
The user's IP Address
The user's User Agent data (the first 120 characters of the browser data string)
The "last activity" time stamp.

Plus your own session datas, of course. 3 of this four datas don't need to be secure, while the first should be quite reliable, even though using MD5, I didn't dive into the code to actually see if it is so (and I'm no security expert). The security level of the latter infos depends on what kind of information you're storing there, and how well you treat them before storing.

You can also decide to store sessions using the database instead, which will be a safer option (provided you don't screw up allowing sql injections!).

Note also that:

If you have the encryption option enabled, the serialized array will be encrypted before being stored in the cookie, making the data highly secure and impervious to being read or altered by someone. More info regarding encryption can be found here, although the Session class will take care of initializing and encrypting the data automatically.

So well, they should be quite secure; if you don't trust them enough, you're free to hash or encrypt your data how much you want, or still make use of PHP native Sessions without problems.

It all depends on what sort of information you actually end up storing in the cookies. If there is a $_COOKIE['is_admin'] with value "false" .. well ..

Essentially you have to examine information you actually store on the user's computer. Usually for the sessions it only stores the PHPSESSID, which contains a hash and the rest of values stay on the server.