如何保存PHPSESSID?
[英]How PHPSESSID are saved?
问题描述
Does anyone know the principle of working of PHPSESSID ? 
有谁知道PHPSESSID的工作原理? How does it work and where it is saved? 它是如何工作的以及保存在哪里? Is it saved on client side or on serverside, will another PC be able to connect to my account from his PC if he knows my PHPSESSID ? 它是保存在客户端还是服务器端,如果另一台PC知道我的PHPSESSID ,他是否可以从他的PC连接到我的帐户?
2 个解决方案
解决方案1
2 2013-04-06 15:15:38
yes, that's why it's better to not pass the session id through url but to use cookies instead: 是的,这就是为什么最好不要通过url传递会话ID,而是改用cookie:
php.ini: session.use_cookies = 1 php.ini: session.use_cookies = 1
In that case there's a folder in the server (php.ini: session.save_path ) that will store the files, and also a cookie in your harddrive to map your credentials to the registered session_id. 在这种情况下,服务器上将存在一个文件夹(php.ini: session.save_path ),该文件夹将存储文件,硬盘中还将包含一个cookie以将您的凭据映射到已注册的session_id。
php.ini: session.cookie_lifetime php.ini: session.cookie_lifetime
sets up the time this cookie will live for (0 for infinite), while 设置此Cookie的生存时间(无限期为0),而
php.ini: session.gc_maxlifetime php.ini: session.gc_maxlifetime
defines how long it is going to live on the server. 定义它将在服务器上保留多长时间。
Use 采用
php.ini: session.cookie_httponly = 1 along with session.cookie_secure = 1 (if you are using ssl) php.ini: session.cookie_httponly = 1以及session.cookie_secure = 1 (如果使用的是ssl)
to improve the protection of the informations of your cookies so they are unavailable through javascript, being a good last chance parachute in case of xss attack sending your cookies to a malicious destination. 改善对cookie信息的保护,以使它们无法通过javascript获得,这是万一xss攻击将您的cookie发送到恶意目标的最后机会。
As pointed out by Explosion pills, there's always a way to be hi-jacked anyway. 正如Explosion药丸所指出的,无论如何总有一种劫持的方法。 All you can do is making it harder. 您所能做的就是加大难度。
解决方案2
1 2013-04-06 15:18:10
The session data is saved on the file system on the server side with the session ID as the identifier. 会话数据以会话ID为标识符保存在服务器端的文件系统上。 The actual location varies, and you can change it via the session.save_path ini setting. 实际位置有所不同,您可以通过session.save_path ini设置进行更改。 You can also change the PHPSESSID name, but this is provided to the client as a cookie and references the session file. 您也可以更改PHPSESSID名称,但这是作为cookie提供给客户端的,并引用了会话文件。 On my system 在我的系统上
/var/lib/php5/sess_53jsd3icrkbqbbfrl6qlv6e6a7
While browsing I have the PHPSESSID cookie 53jsd3icrkbqbbfrl6qlv6e6a7 . 浏览时,我有PHPSESSID cookie 53jsd3icrkbqbbfrl6qlv6e6a7 。
Since this is used to identify the session, it's a security risk if it's exposed so yes a user can steal your session if they know the session ID. 由于使用它来标识会话,因此如果暴露出来,则存在安全风险,因此,如果用户知道会话ID,则可以窃取您的会话。 This is called session hijacking. 这称为会话劫持。 Note that even session.use_cookies = 1 is not enough because there's nothing preventing someone from setting that cookie if they know it. 请注意,即使session.use_cookies = 1也是不够的,因为没有什么可以阻止某人设置cookie(如果他们知道的话)。 Using https to encrypt the cookie is the only valid solution I know of. 我知道,使用https加密cookie是唯一有效的解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.