在php中创建会话的最安全方法 [英] safest way to create sessions in php
问题描述
我正在一个网站上,想要创建用户登录名和会话.什么是检查会话是否存在的最安全方法(例如Cookie或会话变量检查),或者是在php中使用会话的更好的主意?
session_id()返回当前会话的会话ID,如果没有当前会话(不存在当前会话ID),则返回空字符串(").
但这只是告诉您会话是否处于活动状态.
在大多数情况下,我只是在每个脚本的开头都调用session_start();(即使用户尚未登录).登录时,我使用用户ID或用户对象设置$_SESSION['user'].在注销时,我只是unset($_SESSION['user']);.通过检查empty($_SESSION['user']),我可以检查某人是否仍在登录.如果您要在会话中的其他位置存储与用户相关的信息,请不要执行此操作,否则下一个登录的人可能会得到他不应该看到的信息(在这种情况下,请使用session_destroy();).
session.use_only_cookies来实现.
如果您托管在不受信任和/或配置错误的共享服务器上,可能还会有其他安全问题-这可能导致其他人在同一台计算机上读取您的会话数据.在这种情况下,您可以通过重写会话处理程序将会话数据存储在数据库中.只需在Intertubes上搜索session handler mysql,我肯定有足够的即用型解决方案.并且不要在会话中存储诸如密码之类的敏感信息,最好在每次需要比较时进行查询.
除此之外... ...使用ssl/https进行登录和用户管理,因此不会传输任何明文密码.仅将含盐的pw哈希存储在数据库中.不要让任何人看到密码(这意味着:切勿将其打印到html或电子邮件中).请勿将auto_increment值用于用户可以看到的ID(并因此猜测).好的,这已经超出了问题的范围.
I'm working on a website and want to create user login and session. What is the safest way to check if session exists or not (like cookie or session variable check), or any better idea then using sessions in php?
session_id()returns the session id for the current session or the empty string ("") if there is no current session (no current session id exists).
but that just tells you if a session is active or not.
most of the time, i just call session_start(); at the beginning of every script (even if the user's not logged in). on login, i set $_SESSION['user'] with the userid or an user object. on logout, i just unset($_SESSION['user']);. by checking empty($_SESSION['user']) i can check if someone's still logged in or not. don't do this if you're storing user-dependant information elsewhere in your session, otherwise the next guy logging in may get info he's not supposed to see (in this case use session_destroy();).
but safety? just deactivate session-id propagation by GET/POST url rewrites (cookies only), so they don't end up in URLs that can be cached or distributed to others (in this case, session hijacking would be possible). you can do that by setting session.use_only_cookies in the php.ini.
there may be additional safety issues if you're hosting on an untrusted and/or misconfigured shared server - it could lead to other people on the same machine reading your session data. in this case you could store your session data in a database by rewriting your session handler. just search for session handler mysql on the intertubes, i'm sure there are enough ready-to-go solutions. and don't store sensitive information like passwords in the session, better do a query everytime you need to compare it.
other than that ... use ssl/https for login and user management, so no plaintext passwords are transfered. store only pw-hashes with salt in the database. don't let anybody see the passwords (meaning: never print them to html or emails). don't use auto_increment values for ids the user can see (and therefore, guess). ok, that's already out of the questions scope.
这篇关于在php中创建会话的最安全方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
