Home > Backend Development > PHP Tutorial > Issues with session passing through URL

Issues with session passing through URL

WBOY
Release: 2016-07-06 13:51:12
Original
1393 people have browsed it

Today I learned about session transmission through URL, so I wanted to try it out, so I wrote two pages with the following content:

【index.php】

<code><?php
    session_start();    
    $_SESSION["username"] = "admin";       
    echo "Session ID: ".session_id()."<br>";               
?>
<a href="2.php?<?php echo SID ?>">来不及了,快上车!</a>  
</code>
Copy after login
Copy after login

【2.php】

<code><?php
    session_start();  
        echo SID;              
</code>
Copy after login
Copy after login

Open index.php as shown below:
Issues with session passing through URL

After clicking the link, the page will be redirected as shown in the picture:

Issues with session passing through URL

My question is: Logically speaking, the session IDs of the two pages should be the same, but why are they different? I am a novice, and I would like to ask a master to help me answer my questions. . .

Reply content:

Today I learned about session transmission through URL, so I wanted to try it out, so I wrote two pages with the following content:

【index.php】

<code><?php
    session_start();    
    $_SESSION["username"] = "admin";       
    echo "Session ID: ".session_id()."<br>";               
?>
<a href="2.php?<?php echo SID ?>">来不及了,快上车!</a>  
</code>
Copy after login
Copy after login

【2.php】

<code><?php
    session_start();  
        echo SID;              
</code>
Copy after login
Copy after login

Open index.php as shown below:
Issues with session passing through URL

After clicking the link, the page will be redirected as shown in the picture:

Issues with session passing through URL

My question is: Logically speaking, the session IDs of the two pages should be the same, but why are they different? I am a novice, and I would like to ask a master to help me answer my questions. . .

Why should we include session in the URL?
1.This is not safe, assuming you are the administrator, if I grab a packet in the LAN and bring your session_id, then I will be the administrator;
2. Nowadays, cookies are generally used to pass session_id. As long as it is an HttpOnly cookie, you are not afraid of XSS attacks , and Do not use Apache2.2 as the server. There is a 400 bad request vulnerability that can leak HttpOnly cookies. ;
3. If the browser disables cookies, it will not allow login. This can be achieved with JavaScript.

SID is a constant containing the session name and session ID in the format of "name=ID". It returns the same ID as session_id(), but only when the client does not have a session cookie will have a value, otherwise the value of SID is empty string.

  1. If you jump from index.php to 1.php without disabling client cookies, the output SID should be an empty string;

  2. If cookies are disabled and the Session ID in the cookie cannot be obtained from the client, a new session will be generated, and a different SID will be output every time it jumps to 1.php;

  3. php.ini adds the use_only_cookies setting starting from PHP 4.3.0, which specifies whether to only use cookies to store session IDs on the client side. . Enabling this setting prevents attacks involving session IDs being passed through URLs. As of PHP 5.3.0, the default value is changed to 1 (enabled) .

    Transfer session ID
    Predefined constants

The subject of the question does not have a solid foundation. First of all, the SID variable is not assigned a value. Secondly, the get parameter does not even include key=. Finally, who told you that ordinary variables can be passed across pages? Unless it is a session or application super global variable.

I would like to know where you learned about sessions passing through URLs. I may be able to give you an answer after reading the original article.

Related labels:
php
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template