Use SESSION to detect WEBSHELL for SESSION Verification

Different from COOKIE, SESSION is a file stored on the client, while SESSION is stored on the server, enhancing the security. If the verification method of a WEBSHELL is SESSION, we can detect the server Trojan.
My environment is IIS + PHP, in PHP. in ini, there is such an option, session. gc_maxlifetime = 1440, that is, the default expiration time of the SESSION is 24 minutes. If the client does not respond, the session file will be deleted after 24 minutes, even if the browser is closed on the client, its session file still exists on the server, php. set the storage path to session in ini. save_path = "C: \ Windows \ Temp". By default, the session file is stored in the temp folder of the system directory. Because session verification is to store it on the server, if too many, it will also have a certain impact on performance, so session verification is generally used for website background management, through the source code to determine some session names, if an unknown session name appears in the temp directory, you can check whether it is a webshell.

This is the verification code for a php webshell:
 

session_start();$pass = "123";if(isset($_POST["pass"])){ if($pass  == $_POST["pass"]){  $_SESSION["webshell"]=$pass; }}

The above code, if pass is equal to 123, passes verification. The session name is webshell and the value is the submitted password. Open the c: \ windows \ temp directory and arrange the files according to the creation time. The last extra session file is displayed. The file name is similar to sess_140eec21d9f2b239aa5d9904ebbe6bd9, and sess _ is followed by the MD5 value, use NotePad to open the created content class:
Webshell | s: 3: "123 ";
The first is the session name, and the last is the password.

This method has many limitations. 1. Some webshells use cookie verification (some have cookie spoofing vulnerabilities). 2. You must be familiar with the session name of the program on the server, in addition, webshell may have the same session as other programs. 3. It is too troublesome. 4. The session file storage time is limited. Therefore, this method is only used as a technique and is useful in practice.