重新生成会话 ID [英] regenerating session id

问题描述

我正在考虑在每个页面上使用此代码以减少会话劫持的可能性.通过在每个请求上更新 session_id

I am thinking of using this code on every page to reduce the possibility of session hijacking. By renewing the session_id on every request

if(!empty($_session)){ 
   session_start(); 
}

实现这一目标的另一种方法是这样做:

Another way to achieve so would be to do this:

if(!empty($_session)){ 
  session_regenerate_id(true);
}

但是，我听到对该功能的批评说，如果由于某种原因页面刷新太快，会话 ID 就会失效.

However, I heard criticisms of that function that say that if the page is refreshed too fast for some reason, the session id becomes invalid.

使用会话 ID 的另一种方法是更好地控制会话的生成方式.

Another way to use the session id is to have more control over how a session is generated.

还有其他方法可以实现...最佳实践是什么?

There are other ways to achieve so.. Whats the best practice?

推荐答案

为什么不生成会话 ID，为什么不加密并使用已经生成的会话 ID.它可以在预期操作完成时使用和销毁.

Instead of generating session IDs,why don't you encrypt and use the already generated one.It can be used and destroyed when the intended action is complete.

这篇关于重新生成会话 ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！