php 会话在用户端是不可更改的吗? [英] Is php session unchangeable from user end?
问题描述
我正在开发自己的需要用户登录的应用程序.所有用户和密码(加密)都存储在数据库中.当用户尝试登录时,它会在数据库中搜索用户名和密码.如果一切正常,那么我将 username
存储在 $_SESSION["username"]
中,用户 role
(管理员、作者等)在 中>$_SESSION["role"]
和 $_SESSION["website"]
中的用户 website
(我需要存储网站,因为应用程序就像多站点" - 我的应用程序托管在客户端托管上,但管理在我的服务器上).
I am developing my own application which requires user login. All users and passwords (encrypted) are stored in a database. When a user tries to login, then it search in the database the username and password. If all is ok, then I store username
in $_SESSION["username"]
, user role
(admin, author etc) in $_SESSION["role"]
and user website
in $_SESSION["website"]
(I need website to be stored because the application is like "multisite" - my applicaton is hosted on client hosting but the administration is on my server).
我读了这个用户可以更改值吗$_SESSION 在 PHP 中? 我不明白.这种方法在 $_SESSION
中是否安全(存储数据和用户登录)?
I read this Can a user alter the value of $_SESSION in PHP? and I don't understand. Is this method secure (of storing data and if user is logged in) in a $_SESSION
?
用户可以更改会话内容吗?(例如,如果用户已登录且 $_SESSION["website"]
是example.com",用户是否可以更改会话 $_SESSION["website"]
到example.org"来破坏另一个网站?如果是,如何避免或会话的安全替代方法是什么?)
Can the user change the session content? (for example, if user is logged in and $_SESSION["website"]
is "example.com", can the user change the session $_SESSION["website"]
to "example.org" to ruin another website? If yes, how to avoid or what's the secure alternative of session?).
请告诉我什么是会话劫持,这会如何影响我的网站,以及如何使 session_id 动态更改?
And please tell me what is session hijacking and how can this affect my site and also, how to make session_id dinamically to change?
非常感谢!
推荐答案
$_SESSION保存在服务器中,用户无法修改(会话劫持的情况除外)
$_SESSION is saved in the server, so the user cannot modify it ( Except the case of session hijacking)
这篇关于php 会话在用户端是不可更改的吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!