在我验证用户登录信息后,我为他们创建了这个会话:
$_SESSION['username']= $userName;
然后,我像这样重定向它们:
header('Location:www.domain.com/profile/' . $_SESSION['username'];
我希望我的网站有一个美容网址,例如:www.domain.com/profile/userName
因此,在我所有的重定向链接(HTML<a>标记或 PHPheader()函数)中,我将使用:
"www.domain.com/album/" . $_SESSION['username'];
是否存在安全漏洞?
我需要先使用创建会话 IDsession_id()吗?
所以,要检查:
if(!isset($_SESSION['id']){
//redirect to login page
}
Normally while using Sessions we also need to be aware of -:
Session Hijacking , Session Fixation
I suggest in your code after user logged in store the username in session variable also store one more unique value such as USER AGENT in a session variable. so that every page the user visit we can check for whether the same USER AGENT and SESSION ID exist this would make it much secure. To make it much more secure do the encryption like MD% on User AGENT so that hackers cant reproduce it.
Quoted from PHP SECURITY GUIDE
<?php
session_start();
if (isset($_SESSION['HTTP_USER_AGENT']))
{
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
/* Prompt for password */
exit;
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
?>
Refer :
PHP Security Guide on Session
Another Thread on Session security
You need authorization on the page that allows user to edit their profile. If they'll be editing on the http://www.domain.com/profile/[username] page then you need to check if their $_SESSION['username'] is equal to the profile page they are on.
Otherwise anyone would be able to type in the URL (basically guess a profile number or name) and edit it.
But yes, you should first check if they've logged in AT ALL:
if (IsSet($_SESSION['username'])) {
// Logged in
} else {
// Not logged in
}
你在保护什么?你在做什么来验证他们是否有授权?您是否正在保护他们的个人资料并验证他们是否因为他们拥有会话密钥而获得授权?你从来没有提到检查他们是否有一个会话变量。
您甚至不需要知道会话 ID。这对于存储用户是否已获得身份验证无关紧要,这只是指示他们应该使用哪些会话信息的机制。
当用户登录时,您想要存储类似
$_SESSION['authed_user'] = true;
然后,在您随后尝试编辑信息时:
if ($_SESSION['authed_user']) {
// do something authed users can do
}
当然,您可能真的需要某种级别的授权。我建议您考虑使用类似SimpleAuth ...