PHP会话的安全性如何? [英] How secure are PHP sessions?

问题描述

我主要是C ++程序员，但我想尝试一些PHP.

I'm primarily a C++ programmer, but I'm trying to pick up some PHP.

显然，实现Web用户会话的方法是使用$ _SESSION变量将用户的登录ID存储在cookie中.

Apparently the way to implement web user sessions is to store the user's login ID in a cookie using the $_SESSION variable.

有人不能仅仅修改他们的cookie，赋予他们不同的特权或以其他用户身份登录吗?

Is it not possible for someone to just modify their cookie, to give them different privileges or log in as a different user?

似乎这种身份验证机制只是让用户将其ID存储在文件中-然后信任他们不要更改它.

It seems like this authentication mechanism is just having the user store their ID in a file - and then just trusting them not to change it.

有什么可以防止这种情况发生的吗?

Is there something that prevents this?

谢谢！

推荐答案

否，会话存储在服务器上，用户无法访问.它用于在整个网站上存储信息，例如登录会话.

No, a session is stored on the server and cannot be accessed by the user. It is used to store information across the site such as login sessions.

以下是用法示例:

<?php
session_start();
if (password_verify($_POST['password'], $hash)) {
    $_SESSION['auth'] = true;
}
?>

然后可以在整个站点上访问会话，以检查用户是否已通过身份验证.

The session can then be accessed across the site to check to see if the user has been authenticated.

<?php
session_start();
if ($_SESSION['auth']) {
    echo "You are logged in!";
}
?>

用户无法编辑这些值，但是会话的ID通过cookie作为长随机字符串存储在计算机上.如果未经授权的用户可以访问这些字符串，则他们可以访问该网站.

The user cannot edit these values however the session's ID is stored on a computer through a cookie as a long random string. If an unauthorized user gains access to these strings it is possible for them to access the site.

这篇关于PHP会话的安全性如何?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！