PHP会话的安全性如何? [英] How secure are PHP sessions?
问题描述
我主要是C ++程序员,但我想尝试一些PHP.
I'm primarily a C++ programmer, but I'm trying to pick up some PHP.
显然,实现Web用户会话的方法是使用$ _SESSION变量将用户的登录ID存储在cookie中.
Apparently the way to implement web user sessions is to store the user's login ID in a cookie using the $_SESSION variable.
有人不能仅仅修改他们的cookie,赋予他们不同的特权或以其他用户身份登录吗?
Is it not possible for someone to just modify their cookie, to give them different privileges or log in as a different user?
似乎这种身份验证机制只是让用户将其ID存储在文件中-然后信任他们不要更改它.
It seems like this authentication mechanism is just having the user store their ID in a file - and then just trusting them not to change it.
有什么可以防止这种情况发生的吗?
Is there something that prevents this?
谢谢!
推荐答案
否,会话存储在服务器上,用户无法访问.它用于在整个网站上存储信息,例如登录会话.
No, a session is stored on the server and cannot be accessed by the user. It is used to store information across the site such as login sessions.
以下是用法示例:
<?php
session_start();
if (password_verify($_POST['password'], $hash)) {
$_SESSION['auth'] = true;
}
?>
然后可以在整个站点上访问会话,以检查用户是否已通过身份验证.
The session can then be accessed across the site to check to see if the user has been authenticated.
<?php
session_start();
if ($_SESSION['auth']) {
echo "You are logged in!";
}
?>
用户无法编辑这些值,但是会话的ID通过cookie作为长随机字符串存储在计算机上.如果未经授权的用户可以访问这些字符串,则他们可以访问该网站.
The user cannot edit these values however the session's ID is stored on a computer through a cookie as a long random string. If an unauthorized user gains access to these strings it is possible for them to access the site.
这篇关于PHP会话的安全性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!