PHP - 会话 - 安全 [英] PHP - Sessions - Security

问题描述

php Session 的安全性如何?我计划使用本机 PHP 会话来验证用户.用户可以像修改 $_POST 和 $_GET 数据那样修改会话数据吗?

How secure are php Sessions? I am planning to use the native PHP sessions to authenticate users. Can users modify session data like they can $_POST and $_GET data?

推荐答案

只有当您作为开发人员让用户通过您编写的代码将数据放入会话时，数据才会进入会话.因此，会话与您允许进入其中的数据以及您信任和使用该数据的方式一样安全.此外，会话基于客户端用于识别会话用户的 sessionID.如果有人劫持了 sessionID，那么他们可以模拟成为他们窃取了 session ID 的用户.这可能发生在非 SSH 通信中.所以不要相信会话 ID 来识别用户(对于重要的事情)，除非他们已经登录并且 sessionID 只在安全模式下传输.

Data only goes into a session when you as the developer have the user put it into the session via the code you write. Therefore, sessions are as secure as the data you allow into them, and how you trust and use that data. Further, sessions are based on a sessionID that the client uses to identify the session user. If someone hijacks a sessionID, then they can emulate being the user whose session ID they stole. This can happen in non SSH communication. So don't trust a session ID for identifying a user (for important stuff) unless they have logged in and the sessionID has only been transmitted in secure mode.

下一个安全问题将是您发送给用户的 sessionID 的可猜测性".如果您处理了我上面提到的内容，那么当您通过它和文档时，您将了解可猜测"的 PHP sessionID.

The next question of security would be the "guessability" of a sessionID you sent off to the user. If you handle the stuff I mention above, by the time you get through it and the documentation you will understand how "guessable" PHP sessionIDs are.

最后要注意 XSS 攻击.互联网上有几篇文章解释了如何将 XSS 的发生率降到最低.

Finally watch out for XSS attacks. There are several posts across the internet that explain how to minimize the incidence of XSS.

这篇关于PHP - 会话 - 安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！