Shulou(Shulou.com)06/03 Report--

This article mainly introduces "the method tutorial to solve the session deserialization vulnerability of PHP". In the daily operation, I believe that many people have doubts on the method tutorial to solve the session deserialization vulnerability of PHP. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "the method tutorial to solve the session deserialization vulnerability of PHP". Next, please follow the editor to study!

There are three configuration items in php.ini:

Session.save_path= ""-- set the storage path of session session.save_handler= "--set user-defined storage function If you want to use something other than PHP's built-in session storage mechanism, you can use this function (database, etc.) session.auto_start boolen-- specify whether the session module starts a session at the beginning of the request, default is 0 and do not start session.serialize_handler string-- defines the name of the processor used for serialization / deserialization. Php is used by default

The above options are related to Session storage and sequence session storage in PHP.

In an installation using xampp components, the above configuration items are set as follows:

Session.save_path= "D:\ xampp\ tmp" indicates that all session files are stored under xampp/tmp. Session.save_handler=files indicates that session is stored as files. Session.auto_start=0 indicates that sessionsession.serialize_handler=php is not started by default, indicating that session's default sequence engine uses the php sequence engine.

In the above configuration, session.serialize_handler is used to set up the sequence engine of session. In addition to the default PHP engine, there are other engines, and the session corresponding to different engines is stored in different ways.

Php_binary: the ASCII character corresponding to the length of the key name + the key name + the value serialized by the serialize () function is stored.

Php: the key name + vertical bar + the value processed by the serialize () function sequence is stored.

Php_serialize (php > 5.5.4): stores the value serialized by the serialize () function

The PHP engine is used by default in PHP, and if you want to change it to another engine, you only need to add the code ini_set ('session.serialize_handler',' engine you need to set');. The sample code is as follows:

The directory of session is in / var/lib/php/sessions

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.