php 会话在用户端是不可更改的吗? [英] Is php session unchangeable from user end?

问题描述

我正在开发自己的需要用户登录的应用程序.所有用户和密码(加密)都存储在数据库中.当用户尝试登录时，它会在数据库中搜索用户名和密码.如果一切正常，那么我将 username 存储在 $_SESSION["username"] 中，用户 role(管理员、作者等)在 中>$_SESSION["role"] 和 $_SESSION["website"] 中的用户 website (我需要存储网站，因为应用程序就像多站点" - 我的应用程序托管在客户端托管上，但管理在我的服务器上).

I am developing my own application which requires user login. All users and passwords (encrypted) are stored in a database. When a user tries to login, then it search in the database the username and password. If all is ok, then I store username in $_SESSION["username"], user role (admin, author etc) in $_SESSION["role"] and user website in $_SESSION["website"] (I need website to be stored because the application is like "multisite" - my applicaton is hosted on client hosting but the administration is on my server).

我读了这个用户可以更改值吗$_SESSION 在 PHP 中? 我不明白.这种方法在 $_SESSION 中是否安全(存储数据和用户登录)?

I read this Can a user alter the value of $_SESSION in PHP? and I don't understand. Is this method secure (of storing data and if user is logged in) in a $_SESSION?

用户可以更改会话内容吗?(例如，如果用户已登录且 $_SESSION["website"] 是example.com"，用户是否可以更改会话 $_SESSION["website"] 到example.org"来破坏另一个网站?如果是，如何避免或会话的安全替代方法是什么?)

Can the user change the session content? (for example, if user is logged in and $_SESSION["website"] is "example.com", can the user change the session $_SESSION["website"] to "example.org" to ruin another website? If yes, how to avoid or what's the secure alternative of session?).

请告诉我什么是会话劫持，这会如何影响我的网站，以及如何使 session_id 动态更改?

And please tell me what is session hijacking and how can this affect my site and also, how to make session_id dinamically to change?

非常感谢！

推荐答案

$_SESSION保存在服务器中，用户无法修改(会话劫持的情况除外)

$_SESSION is saved in the server, so the user cannot modify it ( Except the case of session hijacking)

这篇关于php 会话在用户端是不可更改的吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！