CodeIgniter会话帮助，cookie是否不安全？ [英] CodeIgniter session help, cookies not secure?

问题描述

我刚刚开始学习会话，并且出于我的目的，我想创建一些内容，以便根据客户端的每个请求，服务器对用户进行身份验证，然后为该用户执行数据处理。

但是，我看到了很多使用CodeIgniter的示例，这些示例中的会话是这样建立的：

  $ this-> load-> library（'session'）; 
 
 $ newdata = array（
'username'=>'johndoe'，
'email'=>'johndoe@some-site.com'，
'logged_in'=> TRUE 
）; 
 
 $ this->会话-> set_userdata（$ newdata）; 
  

但是，有人不能只在计算机上使用通用用户名和'logged_in '状态为true，突然间您没有密码就通过了身份验证？对我来说，这似乎是一个安全漏洞，但是我看到很多这样的示例。

在每个请求上对用户进行身份验证的正确方法是什么？

解决方案

在codigniter安装程序的application / config / config.php文件中，您可以选择加密cookie。

  $ config ['sess_cookie_name'] ='ci_session'; 
 $ config [’sess_expiration’] = 7200； 
 $ config [’sess_encrypt_cookie’] = TRUE； //从false设置为TRUE 
  

一旦设置了set_userdata（）和userdata（）方法，透明地处理会话数据的加密和解密。

此页面底部的codigniter会话配置选项的完整列表：

http://codeigniter.com/user_guide/libraries/sessions.html

I'm just getting into learning about sessions, and for my purposes, I want to create something that upon every request from the client, the server authenticates that user, and only then performs data-handling for that user.

However, I have seen a lot of examples with CodeIgniter where the session is set up as thus:

$this->load->library('session');

$newdata = array(
               'username'  => 'johndoe',
               'email'     => 'johndoe@some-site.com',
               'logged_in' => TRUE
           );

$this->session->set_userdata($newdata);

However, couldn't someone just create a cookie on their computer with a common username and the 'logged_in' state to true, and suddenly you're authenticated without a password? This seems like a security flaw to me, but I see so many examples like this.

What is the proper way to authenticate the user on each request?

解决方案

In the application/config/config.php file of your codigniter install you can choose to encrypt your cookies.

$config['sess_cookie_name']  = 'ci_session';
$config['sess_expiration']  = 7200;
$config['sess_encrypt_cookie'] = TRUE;  // set from false to TRUE

Once this is set the set_userdata() and userdata() methods will transparently handle encrypting and decrypting the session data.

A full list of codigniter session config options is at the bottom of this page:

http://codeigniter.com/user_guide/libraries/sessions.html

这篇关于CodeIgniter会话帮助，cookie是否不安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！