PHP的在会话中存储用户ID? [英] php storing user id in session?

问题描述

我想知道在会话中存储用户ID有什么风险?

I am wondering what the risks are of storing the userid in a session?

然后只需进行

if(isset($_SESSION['user_id'])){
  login_user($_SESSION['user_id]);
}

会话是否已足够加密，我们将不必担心对其进行哈希处理? 某人能够更改其ID的机会是什么?

Are sessions encrypted enough that we wont have to worry about hashing them? What are the chances of someone being able to change their ID?

推荐答案

默认情况下，会话以文件形式存储在/tmp中.除非您遇到诸如目录遍历漏洞之类的安全问题，否则最终用户将无法看到该文件.

The session is by default stored in /tmp as a file. It is not viewable by the end user unless you have security issues such as directory traversal vulnerabilities.

客户端唯一看到的部分是存储在cookie中的唯一哈希，该唯一哈希映射到服务器上的相关会话.

The only portion the client sees is the unique hash stored in a cookie which maps to the relevant session on the server.

这篇关于PHP的在会话中存储用户ID?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！