会话注入? [英] Session injection?
问题描述
我应该如何在会话中托管用户的 ID?只是为了插入id?我的意思是(例如):
How should I host the id of the user on the session? just to insert the id? I mean (for example):
$_SESSION['id'] = 1;
没有办法由用户自己更改它(作为 cookie..)?因为如果是这样,他可以更改为任何id.
There isn't a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.
关于它的另一个问题 - 如何检查用户是否已登录(使用会话)?我创建了一个会话:
One more question about it - how can I check if user is logged in (with sessions)? I created a session:
$_SESSION['is_logged_in'] = true;
再说一次,用户不能创建一个他的名字是'is_logged_in'并且他的值为true的会话吗?或者只是服务器可以控制服务器的价值?
Again, can't the user just create a session which his name is 'is_logged_in' and his value is true? or just the server has a control about the value of the server?
推荐答案
PHP 中的所有会话变量都存储在服务器端.客户端存储一个 cookie,该 cookie 引用应该使用哪个会话,然后服务器查找会话的值.在会话中存储 is_logged_in 和用户 ID 是安全的.
All session variables in PHP are stored server side. The client stores a cookie that references which session should be used, and then the server looks up the values for the session. It is safe to store is_logged_in in your session as well as the user id.
您应该注意的是,如果另一个用户获得了另一个用户的会话 cookie,他们将能够模仿该用户,直到会话超时.一种简单的解决方案是将会话链接到 IP.
What you should be aware of is if another user gets a hold of another user's session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.
这篇关于会话注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!