Codeigniter / PHP会话安全问题 [英] Codeigniter/PHP sessions security question
问题描述
我正在使用Codeigniter开发一个Web应用程序。当用户对我的网站进行身份验证时,我目前正在将其用户标识符存储在我的会话Cookie(我已启用加密)。我的几个模型类使用会话/ cookie的'user-identifier'参数中的值来更改用户帐户的属性。
I'm developing a web application using Codeigniter. When a user authenticates with my site I'm currently storing their 'user-identifier' in my session cookie (which I have enabled encryption on). Several of my model classes use the value in 'user-identifier' parameter of the session/cookie to make changes to properties of user accounts.
我担心的是,不知道是否可能有人使用我设置的用户标识符的有效codeigniter会话cookie,更改用户标识符的值为不同的用户的值,并更改另一个用户的帐户。
My concern is that I'm wondering if it's possible for someone to take a valid codeigniter-session cookie with a user-identifier that I've set, change the user-identifier's value to the value of a different user, and make changes to another user's account. Would codeigniter/php sessions create an error if someone attempted to change a property of a session cookie?
推荐答案
如果有人尝试更改会话cookie的属性,codeigniter / php会话会创建错误吗? config / config.php,找到sess_use_database并将其更改为TRUE,如果你还没有。这样,所有会话变量都将存储在数据库表中,并且会话cookie只包含会话ID字符串。
Open your /application/config/config.php, locate "sess_use_database" and change it to "TRUE" if you haven't already. This way all session variables will be stored in a database table and session cookie will only contain session id string.
为了增加安全性,您还可以将sess_match_ip更改为TRUE 。这样,如果有人窃取了您用户的Cookie,并尝试将其作为自己的Cookie传递,则会话将被销毁。
For added security, you can also change "sess_match_ip" to TRUE. This way if someone steals your user's cookie and tries to pass it as their own, session will be destroyed.
这篇关于Codeigniter / PHP会话安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
