加密会话变量有什么安全优势吗？ [英] Is there any security benefit to encrypting session variables?

问题描述

是否会阻止会话劫持？如果没有，我该怎么做才能使我的php会话安全？

Would it prevent, for example, session hijacking? If not, what can I do to make my php sessions secure?

推荐答案

发送给客户端的内容是会话标识符不是会话变量。这些会话标识符通常设置为客户端中的cookie。当然，如果任何人从用户的浏览器或客户端获取会话标识符（例如，通过使用跨站点脚本攻击），他可以在自己的客户端中设置会话标识符，并作为其他用户模拟。

What is sent to the client is a session identifier and not a session variable. These session identifiers are usually set as a cookie in the client. Of course, if anyone gets hold of the session identifier (for example, by using cross site scripting attack) from the user's browser or client, he can set the session identifier in his own client and impersonate as the other user.

但是，会话变量通常是指 $ _ SESSION 数组中的值。请参阅 http://www.php.net/manual/en/function。 session-start.php 为例。这些值不会通过网络发送到客户端。

Session variables, however, usually refer to the values in $_SESSION array. See http://www.php.net/manual/en/function.session-start.php for an example. These values are never sent over the network to the client.

就保护会话标识符而言，我已经在第一段解释了它们被存储为cookie在浏览器中在HTTP会话中，Cookie在服务器和客户端之间以明文形式传输。这很容易受到窃听（例如，路由器上的一个人通过它可以捕获您的数据包并从中读取会话标识符）。克服这个问题的最好方法是使用HTTPS。

As far as protecting session identifiers is concerned, I have already explained in the first paragraph that they are stored as cookies in the browser. In an HTTP session, the cookies are transmitted between the server and client in cleartext. This is vulnerable to eavesdropping (for example, a guy on a router through which your packets pass could capture your packets and read the session identifier from it). The best way to overcome this problem is to use HTTPS instead.

这篇关于加密会话变量有什么安全优势吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！