CodeIgniter会话帮助,cookie是否不安全? [英] CodeIgniter session help, cookies not secure?
问题描述
我刚刚开始学习会话,并且出于我的目的,我想创建一些内容,以便根据客户端的每个请求,服务器对用户进行身份验证,然后为该用户执行数据处理。
但是,我看到了很多使用CodeIgniter的示例,这些示例中的会话是这样建立的:
$ this-> load-> library('session');
$ newdata = array(
'username'=>'johndoe',
'email'=>'johndoe@some-site.com',
'logged_in'=> TRUE
);
$ this->会话-> set_userdata($ newdata);
但是,有人不能只在计算机上使用通用用户名和'logged_in '状态为true,突然间您没有密码就通过了身份验证?对我来说,这似乎是一个安全漏洞,但是我看到很多这样的示例。
在每个请求上对用户进行身份验证的正确方法是什么?
在codigniter安装程序的application / config / config.php文件中,您可以选择加密cookie。
$ config ['sess_cookie_name'] ='ci_session';
$ config [’sess_expiration’] = 7200;
$ config [’sess_encrypt_cookie’] = TRUE; //从false设置为TRUE
一旦设置了set_userdata()和userdata()方法,透明地处理会话数据的加密和解密。
此页面底部的codigniter会话配置选项的完整列表:
http://codeigniter.com/user_guide/libraries/sessions.html
I'm just getting into learning about sessions, and for my purposes, I want to create something that upon every request from the client, the server authenticates that user, and only then performs data-handling for that user.
However, I have seen a lot of examples with CodeIgniter where the session is set up as thus:
$this->load->library('session');
$newdata = array(
'username' => 'johndoe',
'email' => 'johndoe@some-site.com',
'logged_in' => TRUE
);
$this->session->set_userdata($newdata);
However, couldn't someone just create a cookie on their computer with a common username and the 'logged_in' state to true, and suddenly you're authenticated without a password? This seems like a security flaw to me, but I see so many examples like this.
What is the proper way to authenticate the user on each request?
In the application/config/config.php file of your codigniter install you can choose to encrypt your cookies.
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_encrypt_cookie'] = TRUE; // set from false to TRUE
Once this is set the set_userdata() and userdata() methods will transparently handle encrypting and decrypting the session data.
A full list of codigniter session config options is at the bottom of this page:
http://codeigniter.com/user_guide/libraries/sessions.html
这篇关于CodeIgniter会话帮助,cookie是否不安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!