正确的方式来管理PHP中的会话？ [英] Correct way to manage sessions in PHP?

问题描述

我目前正在设置身份验证系统。
我的当前布局是从他的电子邮件 $ _ POST ，md5他的密码，并检查数据库对他的电子邮件和他的密码。
如果匹配，我使用 session_start ，我开始在 $ _ SESSION 变量中存储数据，如所以：

  $ _SESSION ['uid'] = $ uid; 
 $ _SESSION ['first_name'] = $ first_name; 
  

在网站的每一页上，我都会对

  isset（$ _ SESSION ['uid']）; 
 

如果没有，重定向到索引页，如果是，加载页面。

我这样做是否正确？这足够安全吗？有人伪造这些数据有多容易？

有人告诉我，我应该创建一个表，包含用户的电子邮件和他的会话ID，并使用它管理事情...我变得很困惑 - 这将如何帮助？

有人可以澄清吗？使用PHP会话管理身份验证的正确方法是什么？

感谢。

解决方案

我之前处理过登录/身份验证系统，我发现这种方法有几个缺点：

• 你md5 his密码，并检查数据库 - 这意味着如果一个人有权访问数据库，他可以弄清楚谁有相同的密码！

ADDENDUM（2015年9月19日）* 查看此链接。它解释了所有的基础知识，你可以采取的方法，为什么你应该采取这些方法，并给你的示例PHP代码。

更好的方法：存储md5的 code> username + password + email + salt 在数据库中，是随机的，并与用户的记录一起存储。

• 在会话变量中直接使用'uid'可能非常危险。考虑这样：我的朋友从我的浏览器登录，他留下了泄漏。我快速检查他的浏览器中设置了哪些Cookie，并解密他的uid。
：当用户成功登录时生成一个随机会话ID，并将该会话ID存储在 $ _ SESSION [] 数组中。您还需要将sessionid与其uid（使用数据库或memcached）相关联。优点是：


1. 您甚至可以将sessionid绑定到特定IP，以便会话ID不会被滥用，即使捕获


2. 如果用户从其他位置登录，您可以使旧的会话ID无效。因此，如果我的朋友从自己的计算机登录，我的计算机上的sessionid会自动失效。



我希望这回答了您的问题。





干杯，





jrh。





：我总是使用cookie来处理我的会话。这有助于我更容易地集成我的Web应用程序的JavaScript组件。您今后可能需要在应用中使用相同的内容。




I'm currently setting up an authentication system. My current layout is to get his email from the $_POST, md5 his password, and check the database against his email and his password. If it matches, I use session_start, and I start storing data in the $_SESSION variable, like so:

 $_SESSION['uid'] = $uid;
 $_SESSION['first_name'] = $first_name;

And on every page of the website, I would preform a simple check of

isset($_SESSION['uid']);

if not, redirect to index page, if is, load the page.

Am I doing this correctly? Is this secure enough? How easy is it for someone to forge that data?

Someone told me that I should create a table, with the user's email, and his session-id and use that to manage things... I've become rather confused - how would this help?

Could someone clarify this? What is the correct way to manage authentication with PHP sessions?

Thanks.

解决方案

I've dealt with login/authentication systems earlier, and I find several shortcomings in this method:

• you "md5 his password, and check the database" -- this means that if a person has access to the database, he can make out who has the same passwords!

ADDENDUM (19 Sep 2015) * Look at this link. It explains all the basics, the approaches you could take, why you should take those approaches and also gives you sample PHP code. If its too long to read, just go to the end, grab the code and get set!

BETTER APPROACH: to store md5 of username+password+email+salt in the database, salt being random, and stored together with the user's record.

• using the 'uid' directly in the session variables can be very risky. Consider this: my friend is logged on from my browser, and he leaves for a leak. I quickly check which cookies are set in his browser, and decipher his 'uid'. Now I own him!

BETTER APPROACH: to generate a random sessionid when the user logs in successfully, and store that session ID in the $_SESSION[] array. You will also need to associate the sessionid with his uid (using the database, or memcached). Advatages are:

1. You can even bind a sessionid to a particular IP so that the sessionid can't be abused even if it is captured
2. You can invalidate an older sessionid if the user logs on from another location. So if my friend logs in from his own computer, the sessionid on my computer becomes invalid automatically.

I hope this answers your question.

Cheers,

jrh.

EDIT: I've always used cookies manually for my session handling stuff. This helps me integrate the javascript components of my web apps more easily. You may need the same in your apps, in future.

这篇关于正确的方式来管理PHP中的会话？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！