如何安全地设置会话变量以登录某人? [英] How to securely set session variables for logging someone in?
问题描述
如果有人可以帮助我,我有几个问题.首先,我正在为我的应用程序的用户创建登录系统.我正在使用共享主机(dreamhost),我想知道,在用户登录并成功后,如何验证用户是否在页面上登录?我假设我使用会话变量,但出于某些目的需要存储用户名.将用户名存储在会话变量中是否安全,并且基本上只将用户登录存储到会话变量中是否安全:例如:$_SESSION['logged'] = 1;管他呢.另外,我一直在读到任何人都可以访问我的会话数据,因为我在共享主机上,所以应该改变吗?或者我应该一起使用会话变量以外的其他东西?
默认会话存储配置可能会使用共享主机上所有用户共享的位置.要验证这一点,请查看 phpinfo 的输出,特别是session.save_path 和 session.save_handler.这些设置记录在 PHP 会话配置文档中.
您的共享主机可能以您的用户而非系统用户的身份运行您的 PHP 进程.在这种情况下,您可以将 session.save_path 更改为您的主目录中属于您的目录,并且具有阻止其他用户读取该目录的权限(例如 700).>
如果您的共享主机以系统用户身份运行,您基本上无法获得安全的方式来存储这些文件.然后,您可以使用数据库支持的会话存储选项来代替 session_set_save_handler - 虽然我不确定您如何防止其他人读取您的配置设置.
I have a few questions here if anyone can help me out. First off, I am in the process of creating a login system for users of my application. I am using shared hosting (dreamhost), and I am wondering, after the user logs in and it is successful, how can i verify if the user is logged in on pages? I am assuming that i use session variables, but the user's name needs to be stored for certain purposes. Is it safe to store the user's name in a session variable, and is it secure to basically just store if the user is logged in, into a session variable: ex: $_SESSION['logged'] = 1; or whatever. Also, I have been reading that anyone can access my session data since I am on shared hosting, and so should that be changed? Or should i just use something other than session variables all together?
The default session storage configuration will probably use a location shared between all the users on your shared hosting. To verify this, take a look at the output of phpinfo, in particular the session.save_path and session.save_handler. These settings are documented in the PHP session configuration documentation.
Your shared hosting may run your PHP processes as your user, as opposed to a system user. In that case, you can change session.save_path to a directory in your home directory that is owned by you, and has permissions that prevent other users from reading that directory (700, for example).
If your shared hosting runs as a system user, you basically can't get a secure way to store those files. You can then use a database-backed session storage option instead set with session_set_save_handler - although I'm not sure how you could prevent others from reading your configuration settings.
这篇关于如何安全地设置会话变量以登录某人?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
