版主: 版主管理群
代碼: 選擇全部
// session id check
if ($sid == '' || $sid != $userdata['session_id'])
{
message_die(GENERAL_ERROR, 'Invalid_session');
} 請問那些檔案含有以上的php碼?因為我想將所有Invalid_session剷除。Mac 寫:移除 Session_ID 檢查:
把受到影響的 php 檔中,找到下面的程式碼,將之移除\r
p.s. 移除這個檢查會帶來的安全上的漏洞,刪除前先三思吧\r
~Mac代碼: 選擇全部
// session id check if ($sid == '' || $sid != $userdata['session_id']) { message_die(GENERAL_ERROR, 'Invalid_session'); }
以下 php 檔案是 這一篇 裡 coca 找到的hkiforum 寫:請問那些檔案含有以上的php碼?因為我想將所有Invalid_session剷除。
如果有遺漏,可以在發生 Invalid_session 時把問題檔案記下來,再自行移除\r\phpBB2\login.php
\phpBB2\modcp.php
\phpBB2\privmsg.php
\phpBB2\uacp.php
\phpBB2\includes\usercp_email.php
\phpBB2\includes\usercp_register.php
\phpBB2\includes\usercp_sendpasswd.php
\phpBB2\docs\mods\attachment mod\scripts\patches\attachmod235_patch (這個是 attachment 外掛的檔案)
取自英文的 Invalid_session 錯誤解說,完整的解說請看第一篇The problem with using just a session_id is that it becomes very easy to hijack (takeover) a session. All a user need do is obtain the session_id and add it to the url as they browse the board. If the id they grab happens to be a logged in admin or moderator ... well you get the picture.
What we do to help complicate the situation is also tie the session to the users IP. Using this method someone would need to spoof an IP and obtain the session_id in order to hijack a session, not incredibly difficult but certainly harder ... and with this sort of software it's really a case of making everything harder to do, thus disuading all but the most ardent "hackers" from bothering to attempt anything.
統編 70591921
