Codeigniter：将sess_match_ip设置为FALSE是否仍然安全？ [英] Codeigniter: is it still safe to set sess_match_ip to FALSE

问题描述

我正在一个网站上，来自某些国家/地区的访问者正面临着codeigniter缓存系统的问题。一两个请求后删除高速缓存。经过深入调查后，我将sess_match_ip和sess_match_useragent设置为FALSE，现在一切正常。

I'm working on a website where visitors from some countries are facing a problem with the codeigniter caching system. the cache is deleted after a request or two. after deep investigation i turned sess_match_ip and sess_match_useragent to FALSE and everything is working fine now.

将这些配置保持为FALSE是否安全？

Is it safe to keep those configs as FALSE ?

谢谢

推荐答案

它的安全性稍差，但通常是必需的，尤其是在处理移动设备时代理服务器银行后面的设备或用户。

It is slightly less safe, but it is often required, especially when dealing with mobile devices or users behind a bank of proxy servers.

为确保您的安全，请务必使用数据库进行会话，并确保将

To make sure you are as secure as possible, be sure to use the database for sessions, and be sure to set the encryption key, and sess_encrypt_cookie so that what little information is stored in the cookie is obfuscated.

您可以做的另一件事是将sess_time_to_update的配置值降低为值甚至小于其默认值300秒。

The one other thing you could do is to lower the config value for sess_time_to_update to a value even less than its default of 300 seconds. On the slight chance someone does get a cooke, then reverse engineer it, it would be useless if CI has already made a new session id.

在9月添加。23，2017

对于Codeigniter 3.x发行版，他们建议使用文件会话与数据库会话。如果这样做，请确保在config.php中为会话设置了不可访问的文件夹。如果您的主机不允许您设置自定义文件夹，那么我会坚持使用数据库会话。其余答案仍然适用。

With the release versions of Codeigniter 3.x, they recommend using file sessions vs db sessions. Be sure to set a non-web accessible folder for sessions in your config.php if you do. If you have a host that doesn't to allow you to set a custom folder, I would stick with db sessions. The rest of the answer still applies.

这篇关于Codeigniter：将sess_match_ip设置为FALSE是否仍然安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！