PHP $ _SESSION实施 [英] PHP $_SESSION Implementation

问题描述

有谁知道如何PHP的地图会话ID为$ _SESSION数组？换句话说，给定的会话ID X，哪里PHP拉动值从填充$ _SESSION数组？

Does anyone know how PHP maps session IDs to $_SESSION arrays? In other words, given session ID x, where does PHP pull the values from to populate the $_SESSION array?

和给予一个会话ID和它是从哪里来的网址，有没有人能够访问$ _SESSION数组中的值的可能性？

And given a session ID and the url it came from, is there any possibility of someone being able to gain access to the values in the $_SESSION array?

推荐答案

在默认情况下，PHP使用文件的会话处理程序。这些文件是根据存储在的session.save_path 设置，但默认为系统的临时目录（高度不安全的位置，考虑改变它）

By default, PHP uses the files session handler. These files are stored based on the session.save_path setting, but defaults to the system's temp directory (a highly insecure location, consider changing it)

这届处理器存储每个会话的会话ID为命名的文件序列化PHP数组。

This session handler stores each session as a serialized PHP array in a file named with the session ID.

如果您可以在由会话垃圾收集程序被清理之前，找出一个会话ID，它可以被劫持，因为PHP不会在内部做任何完整性检查。您可能希望通过在会话存储用户的IP地址，并将其与自己当前的IP，清除会话，如果他们不匹配，做你自己。

If you can find out a session ID prior to it being cleaned up by the session garbage collection routine, it can be hijacked, as PHP does not internally do any sanity checks. You may wish to do your own by storing the user's IP address in the session and comparing it to their current IP, clearing the session if they don't match.

的session.gc_maxlifetime 控件的会议将在多少秒被视为有效。在此之后，该会议有被删除每次请求发生的时间可能性很小。默认为1440秒（24分钟）。

session.gc_maxlifetime controls how many seconds a session will be considered valid. After this point, the session has a small chance of being deleted every time a request occurs. Default is 1440 seconds (or 24 minutes).

在默认情况下，这个机会是1％，但可以通过调整 session.gc_probability 和 session.gc_divisor 值（分别为他们默认为1和100）。

By default, this chance is 1%, but can be altered by adjusting the session.gc_probability and session.gc_divisor values (they default to 1 and 100 respectively).

有其他的会话处理为好，如包含在内存缓存的那些或的memcached 扩展。曾经有一家立足于 libmm 共享内存库，但我相信已经停产了。

There are other session handlers as well, such as the ones included with the memcache or memcached extensions. There was once one based on the libmm shared memory library, but I believe that has been discontinued.

这篇关于PHP $ _SESSION实施的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！