PHP用户认证会话 [英] PHP User Authentication with Sessions
问题描述
所以我的问题是非常基本的。
So my question is very basic.
当检查,如果用户仍然记录在任何页面上,我将使用
When checking if a user is still logged in on any page, I'll use
if (isset($_SESSION['user']) && $_SESSION['user'] == true) { CODE }
不过,我不应该用散列值,而不是为$ _SESSION ['用户']一个布尔值?
所有我看到的是用布尔值,但是从我的角度这是一个安全泄漏点的导游,是不是?人们都在谈论会话Hjacking和会话固定所有的时间,如果我只是用布尔值用户会话会很容易,woulnd't呢?还是我只是混合的东西在这里?
But, shouldn't I use a hashed value instead of a boolean value for the $_SESSION['user']? All the guides I find are using boolean values, but from my point of view that is a security leak, isn't it? People are talking about Session-Hjacking and Session-Fixation all the time, and that would be very easy if I just used boolean values for the user-session, woulnd't it? Or am I just mixing things up here?
感谢您
推荐答案
我在这里读了两个问题。第一个问题,什么是最好的做法,以确定是否一个用户登录吗?第二个问题是否有会话Hjacking和会话固定关注的一个问题?
I read two questions here. The first question, 'What is the best practice to determine if a user is logged in?" and the second question 'Is there a concern of Session-Hjacking and Session-Fixation?'
第一个问题:
大多数Web应用程序/我合作过的CMS有一个用户对象。没有什么特别的特别之处对象从code的角度来看,它只是一个对象重新presenting用户。当前登录的用户存储在会话的用户对象。 $ _ SESSION ['用户']
在Drupal的(和其他平台)的一个功能用于返回当前登录的用户,或False如果用户没有登录
In Drupal (and other platforms) the a function is used to return the currently logged in user, or False if the user is not logged in.
例如:
function user(){
if( isset($_SESSION['user') and
is_object($_SESSION['user'] and
get_class($_SESSION['user']=='myUserClass')) ){
return $_SESSION['user'];
}else{
return False;
}
}
因此,在您的例子中,我们看到如果(用户()){code}
工作,因为所有的对象评价的如果为真
条款。
So in your example we see if ( user() ) { CODE }
works because all object evaluate as True in an if
clause.
第二个问题:会话Hjacking和会话固定是不是真的在这里关注。在客户端(Web浏览器)不具有访问该服务器的$ _SESSION数组。因此,在短期,是你在这里混的事情了。
Second Question: Session-Hjacking and Session-Fixation are not really concerns here. The client (a web browser) does not have access to the server's $_SESSION array. So in short, yes you are mixing things up here.
这篇关于PHP用户认证会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!