PHP Sessions - 注销的最佳实践 [英] PHP Sessions - Best practices for logout
问题描述
我正在开发一个 PHP 应用程序,它使用 session_destroy() 方法将用户从系统中注销,因为在注销时销毁所有会话信息被认为是一种很好的做法.>
但是,我想无限期地存储一些信息,例如上次登录日期、上次用户名"等(直到刷新浏览器的缓存/cookie).此信息将用于为使用同一浏览器的用户/人员构建微妙的个性化功能.
我无法将这些数据存储在服务器上,因为这些信息需要通过浏览器识别,而不是系统的用户,而且我没有唯一的数据可靠地识别浏览器.
解决此问题的最佳/推荐方法是什么?我目前正在考虑多个会话,并使用其中一个来存储此类信息,而不是销毁它.
任何好的建议将不胜感激.安全性是此应用程序的一个问题.提前致谢!
底线:销毁会话是否会完全打开会话劫持等安全风险?
最好(并且你必须)存储 last_login 和 last_login_ip 在数据库中的 users 表中比在客户端中的要多.如果浏览器崩溃,或者用户使用其他浏览器/计算机登录怎么办.
session_destroy() 是正确的.或者如果你想做更多,你可以重置会话,不推荐并像这样调用 session_destroy() :
$_SESSION = array();session_destroy();但我建议只清除您使用应用程序设置的特定会话信息.比如说:
unset($_SESSION["user"]);<小时><块引用>
因为记住,我在这里存储的数据会在用户注销后使用,这意味着我无法识别用户
您将数据存储在数据库中,这意味着您不可能出错.评论很疯狂.我先举个例子来说明你所说的.考虑 last_login 和 last_login_ip,你可以这样做:
Query_The_Server("UPDATE `users` SET `last_login`=NOW(), `last_login_ip`='{$_SERVER["REMOTE_ADDR"]}' WHERE `user_id`={$_SESSION["user"][用户身份"]}");现在告诉我,上面的事情怎么会失败?
<小时><块引用>例如:在登录页面中,我想说这台机器上最后登录的用户是:John".
这需要隐私问题.假设,例如,我登录应用程序,然后注销,然后我的朋友登录或其他等待打我的人登录.他发现我以前登录过,这可能是隐私问题.考虑一下.
但是,如果这是你想做的,那么是的,不要使用 session_destroy(),而是使用 unset($_SESSION["user"]); 或您存储的用于识别用户的任何内容,并且不要触摸 last_user.
另一个想法是:
$_SESSION["last_user"] = $_SESSION["user"]取消设置($_SESSION[用户"]);//技术上退出.取消设置($_SESSION[last_user"][private_stuff"]);//确保你清除了私有的东西.I'm working on a PHP Application that uses the session_destroy() method to log a user out of the system, because it is considered good practice to destroy all session information on logout.
However, I'd like to store some information like "Last login date, Last Username" etc indefinitely (until the browser's cache/cookies are flushed). This information will be used to build subtle personalisation features for the user/people using the same browser.
I cannot store this data on the server because this information needs to be identified with the Browser, not a User of the system, and I have no data that uniquely identifies a browser reliably.
What is the best/recommended way of going about this? I'm currently thinking multiple sessions, and using one of them to store this kind of information, and not destroying it.
Any good advice would be appreciated. Security is a concern for this application. Thanks in advance!
Edit: Bottom line: Is not destroying a session completely opening up security risks like session hijacking?
It is better (and you have to) to store the last_login and last_login_ip in the users table in the database than in the client side. What if the browser is crashed, or if the user logs in using another browser / computer.
The session_destroy() is the right one. Or if you wanna do more, you can reset the session, which is not recommended and call session_destroy() like this:
$_SESSION = array();
session_destroy();
But I would recommend clearing only the particular session information that you have set using the application. Say, for example:
unset($_SESSION["user"]);
because remember, the data I'm storing here would be used after the user has been logged out, which means I have no way of identifying the user
You are storing the data on the database, which means, there's no way, you can mistake. The comment is crazy. Let me give an example for what you said first. Consider the last_login and last_login_ip, and you do this:
Query_The_Server("UPDATE `users` SET `last_login`=NOW(), `last_login_ip`='{$_SERVER["REMOTE_ADDR"]}' WHERE `user_id`={$_SESSION["user"]["user_id"]}");
Now tell me, how can the above thing fail?
Example: in the login page, I want to say "Last logged in user on this machine was: John".
This calls for a privacy issue. Say, for eg., I log into the app, and logout, and my friend logs in or some other person, who's waiting to hit on me, logs in. He finds that I have logged in previously and this might be a privacy issue. Think about it.
But still, if this is what you wanna do, then yes, do not use session_destroy(), instead use unset($_SESSION["user"]); or whatever you stored to identify the user and don't touch the last_user.
Another idea would be:
$_SESSION["last_user"] = $_SESSION["user"]
unset($_SESSION["user"]); // Technically logging out.
unset($_SESSION["last_user"]["private_stuff"]); // Make sure you clear the private stuff.
这篇关于PHP Sessions - 注销的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
