我必须制作一个时间表系统,并且我在页面中进行了登录,但随后我需要使用会话来了解谁的登录以及他们是否仍然登录但cookies必须被禁用所以我尝试将SessionID's保存到数据库,MySQL但我不知道如何在另一个页面上检索该会话 ID,所以任何想法都会有所帮助?不确定我是否也完全正确
问问题
1388 次
1 回答
2
You'd need to pass the session ID through the url, like so:
http://local.domain/index.php?sessionID=7387837rhdfjfytyfegwfvkewbf
Obviously the above GET request makes the session ID fairly obvious. Really though, in normal circumstances, only the users themselves will see it. So the security implications aren't terribly bad, but they are there for the malicious, to spoof a session.
Tips for using this approach:
- Don't use incremental sessionIDs (100, 101, 102) - Generate random ID's
- Although you could use a
POSTrequest on every page, it doesn't help security and it'll probably upset/antagonise your user (Consider back button presses) - Still maintain your session in the database, using the unique session ID from
$_GETas the key - Ensure that the session times out, and quickly. Update the
last_accesstime with each refresh to ensure an active user doesn't time out.
于 2012-12-14T19:20:53.403 回答