$ _SESSION ['loggedin'],特定用户的标识和安全性问题
[英]$_SESSION['loggedin'], identification of particular user and security questions
问题描述
Please, advice if my thoughts are correct. 
请告诉我我的想法是正确的。 I have searched for information but have not found exact answer. 我已搜索信息,但未找到确切答案。
User enters username and password and the entered username/password are the same as in mysql. 用户输入用户名和密码,输入的用户名/密码与mysql相同。
I create $_SESSION['loggedin'] = 1; 我创建$ _SESSION ['loggedin'] = 1; This means that somewhere on server is created file with random name like r21bj2a3.... and in user browser is created cookie with value like r21bj2a3.... 这意味着在服务器上的某个地方创建了具有随机名称的文件,例如r21bj2a3 ....,并且在用户浏览器中创建了具有r21bj2a3 ....等值的cookie。
On next page I check if( $_SESSION['loggedin'] == 1 ). 在下一页上,我检查是否($ _SESSION ['loggedin'] == 1)。 User browser connect to server, send to server information like: I have cookie with value r21bj2a3...., please send me content of ? 用户浏览器连接到服务器,向服务器发送以下信息:我有值为r21bj2a3 ....的cookie,请向我发送以下内容: session? 会议? Server sends information that for the particular cookie session loggedin is 1. 服务器发送有关登录的特定cookie会话为1的信息。
As I understand if malicious user gets cookie value r21bj2a3...., sends to server and gets the same answer as normal user? 据我了解,恶意用户是否获得cookie值r21bj2a3 ....,发送到服务器并获得与普通用户相同的答案?
Depending on $_SESSION['loggedin'] I can not identify particular user? 取决于$ _SESSION ['loggedin']我无法识别特定用户? To identify particular user after successful login I can create unique token, record in mysql and pass with session? 要在成功登录后识别特定用户,我可以创建唯一令牌,在mysql中记录并通过会话传递? And on password protected page from the passed session I get token value and check (select) if such value exists in mysql. 在通过的会话的密码保护页面上,我获得令牌值并检查(选择)该值是否存在于mysql中。 Is this way ok? 这样可以吗? May be post some link with good method? 可能会发布一些好的方法链接?
Regarding token. 关于令牌。 I pass the token value with sessions. 我通过会话传递令牌值。 That means if malicious user get cookie value, send to server and get answer, containing token value (so malicious user gets rights of normal user)? 这意味着如果恶意用户获得cookie值,将其发送到服务器并获得包含令牌值的答案(这样恶意用户将获得普通用户的权利)?
3 个解决方案
解决方案1
0 2013-03-24 07:24:14
To identify which user the session belongs to, just set a viable in the session 要确定会话属于哪个用户,只需在会话中设置一个可行的对象
$_SESSION['user'] = user
You are correct about the cookie giving access to the session. 您对允许访问该会话的cookie是正确的。 If security is important, use SsL. 如果安全性很重要,请使用SsL。
解决方案2
0 2013-03-24 07:29:34
HTTP is stateless protocol.It does not keep track of data across several pages.So we require session which can be globally accessible across all pages in website HTTP是无状态协议,它无法跟踪多个页面上的数据,因此我们需要可以在网站上所有页面上全局访问的会话
For identifying the user who is currently logged into website we need to store value of user_id field in user table into session after he is authenticated successfully. 为了识别当前登录的网站的用户,我们需要在用户表通过身份验证后将用户表中user_id字段的值存储到会话中。
eg 例如
$_SESSION['user_id']=$result['user_id']
And to determine whether user is logged in or not we can check the value of $_SESSION['user_id'] variable .If it is empty then user is not logged in else user is logged in 并确定用户是否登录,我们可以检查$ _SESSION ['user_id']变量的值。如果为空,则用户未登录,否则用户已登录
解决方案3
0 已采纳
I suggest to save all active sessions in the database, you can create a table for doing that, to prevent session hijacking, you can check each particular session (login) and see if user already authenticated, then, do not allow second authentication. 我建议将所有活动会话保存在数据库中,您可以创建一个用于执行此操作的表,以防止会话劫持,可以检查每个特定的会话(登录)并查看用户是否已通过身份验证,然后,不允许进行第二次身份验证。
The problem here, how to recognize user? 这里的问题,如何识别用户? You can bind some Information like USER_AGENT, and IP Address, however, these information can also be spoofed by hacker, but, the probability is less. 您可以绑定一些信息,例如USER_AGENT和IP地址,但是,这些信息也可能被黑客欺骗,但是可能性很小。
Also, once user signed out, you can delete the session record in the database. 同样,用户注销后,您可以删除数据库中的会话记录。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.