$ _SESSION v。$ _COOKIE [英] $_SESSION v. $_COOKIE

问题描述

大约几个星期前，我在创建登录页面时了解到 $ _ SESSION 。我可以成功地登录和使用它与变量。目前我想了解 $ _ SESSION 和 $ _ COOKIE 。请纠正我，如果我错了，我可以使用 $ _ SESSION 当登录和移动页面。使用 $ _ COOKIE ，它用于记住我上次访问和首选项。

当网站使用广告（例如：Google AdSense）时，他们使用Cookie跟踪访问者点击广告的时间，对吗？

我可以使用$ c> $ _ SESSION & $ _ COOKIE ）？我读了一些地方，你可以存储 session_id 作为cookie的值。

让我找到这个：用户登录时需要在php会话中存储什么？。当用户返回网站时，是否使用 session_regenerate_id ？

而且：如何存储包含 uniqid 的Cookie $ c>。

对于想了解登录信息的用户，我使用电子邮件和密码。这样，用户就可以更改其用户名。

我期待着从任何想要分享他们的知识的人们更多地了解这两个。如果我问太多问题，你可以回答一个你有更多经验的问题。

如果你需要更多的信息，只是问我，因为我可能已经忘记包括

$ b

a href =http://security.stackexchange.com/questions/7840/what-risks-should-i-be-aware-of-before-allowing-advertisements-being-placed-on-m>应采取哪些风险在允许在我的网站上放置广告之前，我会注意到吗？

解决方案

简单来说， $ _ SESSION 和 $ _ COOKIE 不同。
两者都是php全局变量，但cookie使用没有语言限制。
$ _ SESSION 是将数据存储在服务器中，同时将会话ID存储为cookie。 $ _ COOKIE 是浏览器发送到服务器的Cookie。这是主要的区别。

- 安全 -

如果您检查浏览器发送的请求标头，您会注意到每个请求都包含Cookie信息。可以通过剪切网络通信来跟踪它们。
任何拥有更好工具的人都可以编辑Cookie数据。
不要使用cookie来存储密码！
如果使用会话，密码在服务器中，只有会话ID cookie会存储在客户端， / em>安全问题。 Chuck Norris仍然可以劫持一个会话。

- 效果 -

在浏览器中存储5个cookie，其中有200个字节，每次每个请求大约1 KB的数据，无论是jpg文件还是实际需要cookie信息的页面。因此，这直接影响您的网站对最终用户执行的速度。

如果您使用会话，则服务器具有此1 KB数据，而客户端在每个页面请求中发送会话ID。
通过将静态文件转移到另一个无Cookie域可以变得聪明。

- 终身 -
$ b

会议将及时清除。所以，如果你想保存的东西很长一段时间，使用cookie而不是。 记住我的大多数网站的功能这样工作（仍然，它不存储密码。只是会话信息 - 不要混淆会话ID）。

底线，
会话和Cookie是不同类型。会话相对安全和服务器端存储。经常清除。 Cookie可以有更长的寿命，但它影响性能（不是CPU / RAM - 加载时间），除非你不记住这一点。
这是非常奇怪，如果有理由存储1 KB作为cookie虽然。

不要信任来自 $ _ GET / POST 的用户输入。对 $ _ COOKIE 也同样谨慎。
还有会话劫持。有人可以猜测别人的会话ID，虽然几乎不可能做到。所以在服务器端首先使用一些验证。

I learned about $_SESSION about several weeks ago when creating a login page. I can successfully login and use it with variables. Currently I am trying to understand $_SESSION and $_COOKIE. Please correct me if I am wrong, I can use $_SESSION when logging in and moving around pages. With $_COOKIE, it is used to remember when I last visit and preferences.

Another thing involving cookies is that when websites use advertisements (for example: Google AdSense), they use the cookies to track when visitor click on a advertisement, right?

I can use both ($_SESSION & $_COOKIE)? I read somewhere that you can store the session_id as value for the cookie.

Also, I read about security which let to me finding this: What do I need to store in the php session when user logged in?. Is using session_regenerate_id good for when a user comes back to the site?

And this: How to store a cookie with php involving uniqid.

For those wanting to know about the login, I use email and password. That way the user can be able to change their username.

I look forward to learning more about these two from anybody who would like to share their knowledge about it. If I asked too many question, you can just answer the one that you have more experience with.

If you need more information, just ask since I might have forgotten to include something.

Thank You.

---

Found this: What risks should I be aware of before allowing advertisements being placed on my website?

解决方案

In simple terms, $_SESSION and $_COOKIE are different. Both are php globals but cookies are used without a language limitation. $_SESSION is all about storing the data in the server while storing the session ID as a cookie. $_COOKIE is the cookies that browser sends to the server. This is the major difference. Sessions don't work if the client browser has cookies disabled.

- Security -

If you checked request headers that your browser sends, you will notice that each request has cookie information in it. They can be tracked by snipping your network communication. Anyone with a better tools can edit cookie data. never use cookies to store passwords! If you use sessions, passwords are in the server and only the session id cookie will stored be in the client, reducing the security problem. Chuck Norris still can hijack a session.

- Performance -

If you store 5 cookies in the browser with 200 bytes in it, that cost ~1 KB of data on each and every request no matter if it's a jpg file or a page that actually needs the cookie information. So this directly affects how fast your site can perform to the end user.

if you use sessions, server has this 1 KB data while the client sends the session ID in each page request. You can be clever by shifting static files to another cookie-less domain.

- Lifetime -

Sessions gets cleared on timely basis. So if you want to save something for a long time, use cookies instead. "remember me" functionality of most sites works this way (still, it doesn't store the password. Just the session information - not to confuse with session ID).

Bottom line, sessions and cookies are different types. session is relatively secure and server side storage. gets cleared often. Cookies can have a larger lifespan but it affects performance (not CPU/RAM -- load times) unless you don't keep that in mind. It's extremely strange if there is a reason to store 1 KB as cookies though.

Never trust user input that comes through $_GET/POST. Do the same care for $_COOKIE as well. And there is session hijacking. Someone can guess someone else's session ID although it's nearly impossible to do. So use some validation at the server side first.

这篇关于$ _SESSION v。$ _COOKIE的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！