PHP会话数据安全吗? [英] Is Php session data secure?

问题描述

我们假设使用会话参数将一些经过验证的数据从一个PHP页面传递到另一PHP页面.

Let's assume some validated data gets passed from one PHP page to another using session parameters.

如何确定第二个php页面上的会话数据仍然是我在第一个php页面上验证的数据?据我了解，会话数据存储在用户计算机上的cookie中.那么，是什么阻止了用户将损坏的数据注入到该会话cookie中呢?

How can I be sure on the second php page, this session data is still the data I validated on the first php page? From what I understand the session data is stored in cookies on the users computer. So what stops the users from injecting corrupted data into that sessions cookie?

因为在我的场景中，我需要依靠一个事实，即传递到第二页的数据已经过验证.

Because in my scenario I need to rely on the fact, that the data passed to the second page is already validated.

所以主要问题是如何将经过验证的数据从一页安全地传递到另一页?

So the main question is how do I pass validated data securely from one page to another ?

非常感谢，Flo

推荐答案

会话数据本身存储在服务器端.客户端计算机上唯一存储的是具有唯一标识符的cookie，因此服务器知道在服务器端要加载哪个会话.

The session data itself is stored server side. The only thing that is stored on the client's computer is a cookie with a unique identifier so the server knows which session to load at the server side.

用户无法操纵存储在会话本身中的数据，因此从某种意义上讲，会话是安全的.

Users cannot manipulate the data stored in the session itself, so in that sense, sessions are secure.

然后，当然，cookie本身可能会被用户窃取并由另一个用户使用(一种称为会话劫持"的做法).您可以通过以下方法来保护用户免受此攻击:例如将会话锁定到其IP地址，浏览器版本等，并使用HTTPS来防止用户嗅探连接.

Then of course, the cookie itself could be stolen from a user and used by another user (a practice called 'session hijacking'). You can protect your users from this by for example locking a session to their IP-address, browser version, etc and using HTTPS to shield them from people sniffing connections.

这篇关于PHP会话数据安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！