会话注入? [英] Session injection?

问题描述

我应该如何在会话中托管用户的 ID?只是为了插入id?我的意思是(例如):

How should I host the id of the user on the session? just to insert the id? I mean (for example):

$_SESSION['id'] = 1;

没有办法由用户自己更改它(作为 cookie..)?因为如果是这样，他可以更改为任何id.

There isn't a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.

关于它的另一个问题 - 如何检查用户是否已登录(使用会话)?我创建了一个会话:

One more question about it - how can I check if user is logged in (with sessions)? I created a session:

$_SESSION['is_logged_in'] = true;

再说一次，用户不能创建一个他的名字是'is_logged_in'并且他的值为true的会话吗?或者只是服务器可以控制服务器的价值?

Again, can't the user just create a session which his name is 'is_logged_in' and his value is true? or just the server has a control about the value of the server?

推荐答案

PHP 中的所有会话变量都存储在服务器端.客户端存储一个 cookie，该 cookie 引用应该使用哪个会话，然后服务器查找会话的值.在会话中存储 is_logged_in 和用户 ID 是安全的.

All session variables in PHP are stored server side. The client stores a cookie that references which session should be used, and then the server looks up the values for the session. It is safe to store is_logged_in in your session as well as the user id.

您应该注意的是，如果另一个用户获得了另一个用户的会话 cookie，他们将能够模仿该用户，直到会话超时.一种简单的解决方案是将会话链接到 IP.

What you should be aware of is if another user gets a hold of another user's session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.

这篇关于会话注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！