最佳实践:在检查 POST 数据之前或之后开始 SESSION 处理 [英] Best practice: Start SESSION handling before or after POST data has been checked
问题描述
开始会话处理时的最佳做法是什么,session_start().应该在之前检查$_POST数据还是之后检查$_POST数据?
What is the best practice when it comes to starting session handling, session_start(). Shall one start it before checking $_POST data or after checking $_POST data?
推荐答案
这取决于您的代码在做什么以及您对 $_POST 数据的关心程度.我将讨论一些场景以帮助您理解我的观点.
That depends on what your code is doing and how much you care about the $_POST data. I'll discuss some scenarios to help you understand my point.
如果会话的存在可以为用户提供某种应该受到保护的特权,并且 $_POST 数据包含确定会话是否有效的内容,那么当然,您需要首先验证发布数据.例如,您有一个 if 语句,它只询问是否有会话?如果有,请授予权限".如果帖子数据包含用于验证它们的用户名/密码,但您已经启动了一个会话(给了它们权限),那么这显然很糟糕.
If the session's existence can offer the user some kind of privilege that should be secured AND the $_POST data contains something that determines whether or not the session is valid, then of course, you need to validate the post data first. For example, you have an if statement that just asks "is there a session? If yes, give privileges". If the post data contains the username/pw to validate them, but you've already started a session (given them privileges) then that is obviously bad.
会话本身可以存在,但不一定意味着任何特权(以及安全性).在这种情况下,您可能正在使用会话获取所有访问者都拥有的某种持久信息.如果有人登录",则您将添加到会话数据中.在这种情况下,会话存在,但您只是在向会话添加登录"信息之前等待验证用户名/密码.
The session itself can exist and not necessarily mean anything as far as privilege (and therefore security). In this case, you may be using the session for some kind of persistent information that ALL visitors have. If someone "logs in", you then add to the session data. In this case, the session exists, but you're simply waiting to validate the username/pw before adding the "logged in" information to the session.
可能性可能非常大,我认为任何一种答案都不能适用于所有情况.请务必考虑所有可能性并遵循标准安全实践.
The possibilities are probably extremely vast and I don't think any one answer can apply for every situation. Just be sure to think out all the possibilities and follow standard security practices.
这篇关于最佳实践:在检查 POST 数据之前或之后开始 SESSION 处理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
