[英]PHP Session with an identifier with the user_id and user_agent
What's up guys,伙计们怎么了
I'm creating a log in system now and I want to secure for session hijacking (I read it up on the PHP Security Consortium website).我现在正在创建一个登录系统,我想保护会话劫持(我在 PHP 安全联盟网站上阅读了它)。 I have one problem though, I use the session variable to store the user_id, so that I can load the right content from the database when it's needed.但是我有一个问题,我使用会话变量来存储 user_id,以便我可以在需要时从数据库加载正确的内容。 However, instead of a session that looks like for example '58', and 58 is the user_id, it now looks like:但是,现在的会话不再是像“58”这样的会话,而 58 是 user_id,它现在看起来像:
585C2reaY2wXT9bR92hgtQnXlcKcxBtWqa8DArzgElQv69L3JgYoO96Ra8CbXHz518Z9ltKn3fK0tL3C2nMbFXdUr8T0HWUHZGgYOsvx2eNTf3JuMlKi/cTTqpqDLGuXtBEa+cgKhgxXgh9QviFgbc50Js/vbpTZ4BmKArgt4kvQE=
The first two numbers, the 58, is the user_id.前两个数字 58 是 user_id。 The rest is the user agent of the logged in user which is encrypted.其余的是已加密的登录用户的用户代理。
My question is, how can I separate the user_id from the encrypted user_agent to use the user_id to do all the right SQL queries and load the right data?我的问题是,如何将 user_id 与加密的 user_agent 分开以使用 user_id 执行所有正确的 SQL 查询并加载正确的数据? So the session identifier at the top, I have to cut it in two pieces, the first piece is the user_id, the second piece the encrypted user_agent.所以顶部的会话标识符,我必须把它分成两部分,第一部分是user_id,第二部分是加密的user_agent。
You would need to slightly modify your session to do something along the lines of the following.您需要稍微修改您的会话以执行以下操作。
58:5C2reaY2wXT9bR92hgtQnXlcKcxBtWqa8DArzgElQv69L3JgYoO96Ra8CbXHz518Z9ltKn3fK0tL3C2nMbFXdUr8T0HWUHZGgYOsvx2eNTf3JuMlKi
Note the :
I added after the user id.请注意:
我在用户 ID 之后添加了。
Then you would do something like the following to grab the user id portion of that string然后,您将执行以下操作以获取该字符串的用户 ID 部分
$str = substr($string, 0, strpos($string, ":"));
Use any character out of the possible ones in user_id.使用 user_id 中可能出现的任何字符。 It looks to me that any non-numeric character might fit.在我看来,任何非数字字符都可能适合。 Then split up to it.然后分手吧。 Here is an example with "=" as a separator:这是一个以“=”作为分隔符的示例:
$user_agent = base64_decode(substr($string, 0, strpos($string, "=")));
Note that base64 is not encryption, it is a simple encoding.请注意,base64 不是加密,它是一种简单的编码。
I suggest doing the following我建议执行以下操作
Upon settings the session variable, you need to do this..设置会话变量后,您需要执行此操作..
$user_id = 1299429; // example
// Generate the session variable with the user agent and set it
// In another session variable, save the length of the user_id so
$_SESSION['user_id_length'] = strlen($user_id);
Then upon seperating it, you can do the following然后在分离它时,您可以执行以下操作
$user_id = substr($encrypted, 0, $_SESSION['user_id_length']);
You can try this code.你可以试试这个代码。 It will take the first two characters它将需要前两个字符
$str = substr($string, 0, 2);
where $string
is your long encrypted string.其中$string
是您的长加密字符串。 This will return the string starting at the first character, and taking two characters.这将返回从第一个字符开始并取两个字符的字符串。 Or if you know the length of your encryption, for example 64 characters.或者,如果您知道加密的长度,例如 64 个字符。
$enc_length = 64;
$userid_length = strlen($_SESSION['variables']) - $enc_length;
$userid = substr($string, 0, $userid_length);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.