认证与会话... [英] Authentication with sessions...
问题描述
嘿所有 -
我正在建立一个数据库,我基本上需要阻止那些没有被授权的人,但是这不像我需要顶级安全。我只是
做一个SQL数据库的基本用户/传递,当用户验证
时,我为他开始一个会话。
我的问题是,黑客有没有办法在没有登录的情况下轻松启动会话
?例如,如果我在会话中保存用户名和IP
地址会假装会话相对困难吗?
对不起,如果这是一个愚蠢的问题,我真的不太了解这个
了。
阅读后这件事发生在我身上,我需要澄清一下:
我读了几个例子,其中每个
受保护页面上都访问SQL数据库以重新验证用户/传递信息。我只是想知道是否可以安全地验证它一次然后传递一个标志
说是的,这个用户已被验证。
再次感谢
IP地址不应该用于识别人员。通常多个人使用相同的IP地址,或者一个人可能经常更改IP地址
。如果他们有一个旧的电话调制解调器,他们每次连接时都会有一个不同的
IP。那些旧的调制解调器经常随机断开连接。
如果您使用IP地址识别人员,当该人重新连接时,您的网站会说他们是未经授权的。单独的会话
(没有IP日志记录)应该足够了。如果您的用户数量非常高,或者需要更高的安全性,您可能需要增加会话ID的长度
。我认为这是在php.ini文件中完成的
。这将使黑客不太可能输入随机会话ID并进入,特别是如果有很多用户。
但这只是必要的如果有非常多的
用户或者你需要非常高的安全性。
并验证它们一次然后有一个会话变量标志,表示
他们已经过验证应该可以正常工作。
>我正在建立一个数据库,我基本上需要阻止那些没有被授权,但这并不像我需要顶级安全。我只是在做一个SQL数据库的基本用户/传递,当用户进行身份验证时我会为他开始一个会话。
PHP通常会为* ANYONE *启动会话。会话也是
用于用户跟踪,无需登录或身份验证。
如果你的意思是当用户验证我标记会话时
登录,很好。
我的问题是,黑客有没有办法轻松启动会话
而无需登录?
PHP通常会在登录之前进入登录
页面的任何人开始会话。该会话不会被标记为已记录in,
虽然。
GUESS另一个用户的现有会话是否容易?一般来说,
不,除非黑客不猜测,而是从
用户的计算机上获取会话(比如,通过使用用户的计算机来看看存储的
cookies),或者他使用数据包嗅探器来观察用户的流量,
或者他只是使用用户的计算机(而用户)在午餐时间)
回到你的网站。
例如,如果我在会话中保存用户名和IP
地址将是相对的难以假装一个会话?
如果您检查会话是否在每个页面上登录(例如
,请检查
Hey all--
I''m building a database and I basically need to keep out people who
aren''t authorized, but it''s not like I need top security here. I''m just
doing basic user/pass of a SQL database, and when a user authenticates
I start a session for him.
My question is, is there any way for a hacker to easily start a session
without having logged in? For instance, if I save the user name and IP
address in the session will it be relatively tough to fake a session?
Sorry if this is a dumb question, I really don''t know much about this
yet.
After reading this it occurred to me that I need to clarify:
I read a few examples where the SQL database is accessed on every
protected page to re-verify the user/pass information. I was just
wondering if its safe to verify it once and then pass a flag around
that says, "yes this user has been verified."
thanks again
IP addresses shouldnt be used for identifying people. Often multiple
people use the same IP address, or one person may change IP addresses
often. If they have an old telephone modem, they will have a different
IP everytime they connect. Those old modems often disconnect randomly.
If you use IP addresses to identify people, when that person
reconnects, your site will say they are unauthorized. Sessions alone
(without IP logging) should be sufficient. If you have a really high
number of users, or need more security, you may want to increase the
length of the session ID. I think this is done in the php.ini file
somewhere. That would make it less likely that a hacker could type in
a random session ID and get in, especially if there are a lot of users.
But this should only be necessary if there a really high number of
users or you need really high security.
And verifying them once then having a session variable flag that says
they have been verified should work fine.
>I''m building a database and I basically need to keep out people whoaren''t authorized, but it''s not like I need top security here. I''m just
doing basic user/pass of a SQL database, and when a user authenticates
I start a session for him.
PHP typically starts a session for *ANYONE*. Sessions are also
used in user tracking with no need for logins or authentication.
If by this you mean "when a user authenticates I mark the session
as logged in", fine.
My question is, is there any way for a hacker to easily start a session
without having logged in?
PHP will typically start as session for anyone who goes to the login
page, BEFORE they log in. That session won''t be marked as logged in,
though.
Is it easy to GUESS an existing session of another user? In general,
no, unless the hacker is not guessing but gets the session from the
user''s computer (say, by using the user''s computer to look at stored
cookies), or he uses a packet sniffer to watch the user''s traffic,
or he simply uses the user''s computer (while user is at lunch) to
go back to your site.
For instance, if I save the user name and IP
address in the session will it be relatively tough to fake a session?
If you check the session for being logged in on every page (e.g.
you check that
这篇关于认证与会话...的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
