proyb3
Reputation: 1
spoof $session['xyz']
I am evalating a way to secure PHP pages. I wonder if someone can provide me a code to spoof by sending a fake referer to $_session['xyz'] in main.php?
Do I have to know the session variable before I could sent a spoof value?
So far I tried my code below.
<?php
header("Referer: http://domain.com.sg");
$host = "domain.com.sg";
$file = "demo.php";
$hdrs = array( 'http' => array(
'method' => "POST",
'header'=> "accept-language: en\r\n" .
"Host: $host\r\n" .
"Referer: http://$host\r\n"
)
);
$context = stream_context_create($hdrs);
$fp = fopen("http://domain.com.sg/dem251.php", 'r', false, $context);
fpassthru($fp);
fclose($fp);
?>
Upvotes: 0
Views: 927
Answers (1)
Marc B
Reputation: 360762
Session values are kept server-side. Unless your PHP has register_globals enabled, the only way a remote user could directly set something in the session is via your code. So if you don't have something like:
$_SESSION['xyz'] = $_GET['xyz'];
anywhere, then it's "safe".
As for the referer itself, that's just an HTTP header, which is COMPLETELY under control of the user. It's best to ignore the referer completely, or at least treat it as you would toxic waste.
Upvotes: 3