PHP Secure Programming: Session Data injection. PHP Secure Programming: Session Data injection is a problem similar to session exposure. This type of attack is based on your WEB server. in addition to having read permission on the session storage directory, there are also PHP Security programming: Session Data injection.
Session injection is a problem similar to session exposure. This type of attack is based on the fact that your WEB server has read permission on the session storage directory and write permission. Therefore, it is possible to write a script that allows other users to add, edit, or delete sessions. The following example shows an HTML form that allows users to easily edit existing session data:
The script inject. php executes the modifications specified by the form:
$sess_data){ $_SESSION = $sess_data; $sess_data = session_encode; file_put_contents($path/$sess_name, $sess_data);}$_SESSION = array();?>
Such attacks are very dangerous. Attackers can not only edit user data, but also edit their own session data. It is more powerful than session hijacking because attackers can select all session data for modification, making it possible to bypass access restrictions and other security measures.
The best solution to this problem is to save session data in the database. See the content before the topic.
Additional reading
Session injection is a problem similar to session exposure. This type of attack is based on your WEB server. in addition to having read permission on the session storage directory, there are also...