blocks|key|594735|text|否，会话存储在服务器上，用户无法访问。它用于存储整个站点的信息，例如登录会话。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|594736|下面是一个用法示例：|594737|<?php
session_start();
if+(password_verify($_POST['password'],+$hash))+{
++++$_SESSION['auth']+=+true;
}
?>|code-block|syntax|javascript|594738|然后，可以跨站点访问该会话，以检查用户是否已通过身份验证。|594739|<?php
session_start();
if+($_SESSION['auth'])+{
++++echo+"You+are+logged+in!";
}
?>|594740|用户不能编辑这些值，但是会话的ID通过cookie以长随机字符串的形式存储在计算机上。如果未经授权的用户获得对这些字符串的访问权限，则他们有可能访问该站点。|594741|entityMap^0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|R|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|S|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|T|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|U|8|@]|9|@]|A|$G|H]]|$1|M|3|N|5|6|7|V|8|@]|9|@]|A|$]]|$1|O|3|-4|5|6|7|W|8|@]|9|@]|A|$]]]|P|$]]

No, a session is stored on the server and cannot be accessed by the user. It is used to store information across the site such as login sessions.

Here is an example of the usage:

<pre><code>&lt;?php
session_start();
if (password_verify($_POST['password'], $hash)) {
 $_SESSION['auth'] = true;
}
?&gt;
</code></pre>

The session can then be accessed across the site to check to see if the user has been authenticated.

<pre><code>&lt;?php
session_start();
if ($_SESSION['auth']) {
 echo "You are logged in!";
}
?&gt;
</code></pre>

The user cannot edit these values however the session's ID is stored on a computer through a cookie as a long random string. If an unauthorized user gains access to these strings it is possible for them to access the site.

blocks|key|594798|text|如果这样做：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|594799|$_SESSION['user']+=+$username;|code-block|syntax|javascript|594800|那么$username将不会直接存储在cookie中。相反，将生成唯一的会话id并将其存储在cookie中。|offset|length|style|CODE|594801|您存储在$_SESSION中的信息只存储在服务器端，而不会发送到客户端。在客户端的后续请求中，当您执行session_start()时，服务器将通过存储在cookie中的id加载会话数据。|594802|它相对安全。唯一可能发生的事情是，有人可以截取会话id，从而窃取真正的用户会话。不过，HTTPS可以防止这种情况发生。|594803|entityMap^0|0|0|2|9|0|4|9|1F|F|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|T|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|U|8|@$I|V|J|W|K|L]]|9|@]|A|$]]|$1|M|3|N|5|6|7|X|8|@$I|Y|J|Z|K|L]|$I|10|J|11|K|L]]|9|@]|A|$]]|$1|O|3|P|5|6|7|12|8|@]|9|@]|A|$]]|$1|Q|3|-4|5|6|7|13|8|@]|9|@]|A|$]]]|R|$]]

If do this:

<pre><code>$_SESSION['user'] = $username;
</code></pre>

Then <code>$username</code> will not be directly stored in a cookie. Instead a unique session id will be generated and stored inside a cookie.

The info that you store in <code>$_SESSION</code> is only stored server side and never sent to the client. On subsequent request by the client, the server will load the session data by the id stored in the cookie when you do <code>session_start()</code>.

It relatively secure. The only thing that can happen is that somebody could intercept the session id and thus steal the real users session. HTTPS can prevent that from happening though.

blocks|key|594843|text|无论你在这个话题上得到什么答案，你都很可能不会满意，因为在这个话题上有太多不同的观点。甚至还有一整本关于会话和PHP安全性的书籍。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|594844|你希望在这里得到的最好的答案可能是“会话和你想要的一样安全”。更多的工作和更多的预防措施显然会使它们更安全地使用，但实现本身会消耗更多的时间。就像所有的事情一样，你是衡量多大程度的安全才能满足你的需求的人。|594845|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

Whatever answer you get on this topic you are most likely not going to be satisfied because there are so many different opinions on the topic. There are even entire books written about sessions and PHP security in general.

The best answer you can hope to get here is probably "sessions are as safe as you want them to be". More work and a larger number of precautions will obviously make them safer to use but the implementation itself will consume more time. As with everything you are the one to measure how much safe is safe enough for your needs.

blocks|key|378884|text|由于您是一名C%2B%2B程序员，您只需要知道客户端可见的会话只是不同地址空间(服务器)上的一个指针，因此无法从客户端模式访问该会话。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|378885|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

Since you are a C++ programmer, you only need to know that the session visible to the client side is just a pointer on a different address space (the server) and, therefore, the session cannot be accessed from the client mode.

I'm primarily a C++ programmer, but I'm trying to pick up some PHP.

Apparently the way to implement web user sessions is to store the user's login ID in a cookie using the $_SESSION variable.

Is it not possible for someone to just modify their cookie, to give them different privileges or log in as a different user?

It seems like this authentication mechanism is just having the user store their ID in a file - and then just trusting them not to change it.

Is there something that prevents this?

Thanks!

How secure are PHP sessions?

身份验证

服务器

我主要是一个C++程序员，但我正在尝试学习一些PHP。显然，实现web用户会话的方法是使用$_SESSION变量将用户的登录ID存储在cookie中。难道某人不能只修改他们的cookie，给他们不同的特权，或者以不同的用户登录吗？似乎这种身份验证机制只是让用户将他们的ID存储在一个文件中-然后信任他们不会更改它。有什么...

问PHP会话的安全性如何？
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问PHP会话的安全性如何？EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问PHP会话的安全性如何？
EN