我主要是一名 C++ 程序员,但我正在尝试学习一些 PHP。
显然,实现 Web 用户会话的方法是使用 $_SESSION 变量将用户的登录 ID 存储在 cookie 中。
某人不可能只修改他们的 cookie,给他们不同的权限或以不同的用户身份登录吗?
似乎这种身份验证机制只是让用户将他们的 ID 存储在一个文件中 - 然后只是相信他们不会更改它。
有什么可以防止这种情况发生吗?
谢谢!
我主要是一名 C++ 程序员,但我正在尝试学习一些 PHP。
显然,实现 Web 用户会话的方法是使用 $_SESSION 变量将用户的登录 ID 存储在 cookie 中。
某人不可能只修改他们的 cookie,给他们不同的权限或以不同的用户身份登录吗?
似乎这种身份验证机制只是让用户将他们的 ID 存储在一个文件中 - 然后只是相信他们不会更改它。
有什么可以防止这种情况发生吗?
谢谢!
PHP sessions are only secure as your application makes them. PHP sessions will give the user a pseudorandom string ("session ID") for them to identify themselves with, but if that string is intercepted by an attacker, the attacker can pretend to be that user.
This information is taken from "Session Management Basics" in the PHP manual, but simplified a bit. Some things may have been missed. Be sure to read through that as well.
Enable session.use_strict_mode
:
$userId-
)Enable session.use_only_cookies
and disable session.use_trans_sid
Referer
headerPeriodically regenerate the session ID and invalidate old session IDs shortly after regenerating
Optionally keep track of additional information in $_SESSION
that relates to the request (IP address, user agent string, etc)
不,会话存储在服务器上,用户无法访问。它用于存储整个站点的信息,例如登录会话。
下面是一个用法示例:
<?php
session_start();
if (password_verify($_POST['password'], $hash)) {
$_SESSION['auth'] = true;
}
?>
然后可以跨站点访问会话以检查用户是否已通过身份验证。
<?php
session_start();
if ($_SESSION['auth']) {
echo "You are logged in!";
}
?>
用户无法编辑这些值,但是会话的 ID 通过 cookie 作为长随机字符串存储在计算机上。如果未经授权的用户获得对这些字符串的访问权,他们就有可能访问该站点。
如果这样做:
$_SESSION['user'] = $username;
然后$username
不会直接存储在cookie中。相反,将生成一个唯一的会话 ID 并将其存储在 cookie 中。
您存储的信息$_SESSION
仅存储在服务器端,从未发送到客户端。在客户端的后续请求中,服务器将通过存储在 cookie 中的 id 加载会话数据session_start()
。
它相对安全。唯一可能发生的事情是有人可以截获会话 ID,从而窃取真实用户会话。不过,HTTPS 可以防止这种情况发生。
回答这个问题需要两种方法:
PHP session IDs are hard enough to guess for most use cases. Not much harder or less hard than other widely used systems.
Trusting only a session cookie (and only the existance of a session cookie) seems not to go very far security-wise to me, no matter where this session cookie comes from - PHP or elsewhere.
So, in short: PHP sessions are as secure, as your use of them makes them be. This is true for any session-cookie-based system I know of.
Since you are a C++ programmer, you only need to know that the session visible to the client side is just a pointer on a different address space (the server) and, therefore, the session cannot be accessed from the client mode.
Whatever answer you get on this topic you are most likely not going to be satisfied because there are so many different opinions on the topic. There are even entire books written about sessions and PHP security in general.
The best answer you can hope to get here is probably "sessions are as safe as you want them to be". More work and a larger number of precautions will obviously make them safer to use but the implementation itself will consume more time. As with everything you are the one to measure how much safe is safe enough for your needs.