Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
679 views
in Technique[技术] by (71.8m points)

php - Are Laravel session variables secure?

Is there any (known) way for end users to edit a Laravel session variable?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Is there any (known) way for end users to edit a Laravel 4 session variable?

Yes there is, but only if you go out of your way to make it possible. The steps required are:

  1. Use the cookie driver for sessions (which stores all session data into a cookie rather than simply storing an identifier in the cookie and keeping the actual data server-side). I generally recommend against storing session state in a cookie.
  2. Turn off session encryption, which the documentation strongly says not to do.

If you do these ill-advised steps, in addition to allowing users to overwrite session data, this is a risk for PHP object injection via unserialize().

Advice: If you are going to store session state in a cookie, make sure it's wrapped in authenticated encryption. Laravel's encryption library employs authenticated encryption (Encrypt then MAC), and the sessions use this by default.


As for the other drivers, that depends on your network topology. If your database is on another server and your attacker can impersonate the web server, they can put whatever they want in the database.

Last I checked, Laravel defaults to encrypt session data (unless you disable encryption). Unless your database is on the same host as the webserver, leave it turned on.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...