0

I've been reading into some articles about PHP security, and I came across this article:
http://shiflett.org/articles/session-fixation

This article describes that one can easily fixate a session by passing the PHPSESSID variable in a url request (for example ?PHPSESSID=1234). However, it is my understanding (and please correct me if I am wrong) that PHP treats $_GET, $_SESSION and $GLOBALS as different types of variables when register_globals is set to off in php.ini, and therefor using ?PHPSESSID=1234 in a url request should not produce this problem.

I have tested the following script:

session_start(); 

if (!isset($_SESSION['count'])) 
{ 
   $_SESSION['count'] = 0; 
} 
else 
{ 
   $_SESSION['count']++; 
} 

echo $_SESSION['count'];

But I can't seem to reproduce the fixation of sessions on my server, and I assumed it is because I have register_globals set to off in my php.ini.
Am I wrong about this?
It seems important to know for sure.

4

1 回答 1

1

我认为有一个单独的 php 配置选项,session.use_trans_sid它允许会话通过 url 传递,而不管 register_global 设置如何。

于 2013-05-01T17:12:17.500 回答