网站登录和会话管理
[英]Site login and session management
问题描述
So I am working on a site that requires a login against an MySQL database with "remember me" functionality. 
因此,我正在一个需要使用“记住我”功能的MySQL数据库登录的站点上工作。 I got that fine (based off of Jaspan's page). 我很好(基于Jaspan的页面)。 What I am a little fuzzy on is the use of sessions to track user movement. 我有点模糊的是使用会话来跟踪用户移动。 I'm not worried about their history on the site. 我不担心他们在网站上的历史。 I've looked around on the interwebs and especially SO, but I haven't really found what I'm looking for. 我到处都是互联网,尤其是SO,但是我还没有真正找到想要的东西。 Perhaps I'm just not using the right keywords to search. 也许我只是没有使用正确的关键字进行搜索。 Anyway... as I said, I have the actual login process, and a cookie is set up with the triplet for the "remember me" functionality. 无论如何...正如我所说,我已经完成了实际的登录过程,并使用三元组为“记住我”功能设置了一个cookie。 But how do I track the authenticated status while the user is browsing the website? 但是,当用户浏览网站时,如何跟踪身份验证状态? The logged-in user should be able to browse the secure area of the website, or the scripts should output special data, without the website having to check the "remember me" triplet against the database every page load. 登录的用户应该能够浏览网站的安全区域,或者脚本应该输出特殊数据,而网站不必在每次页面加载时都针对数据库检查“记住我”三元组。 I thought to do something like $_SESSION['authed']==true, and every page load would check the session value, but I suspect that isn't a very secure way to go about this. 我想做类似$ _SESSION ['authed'] == true的事情,并且每个页面加载都会检查会话值,但是我怀疑这不是一种非常安全的方法。 I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true. 我观察到,如果我设置$ _SESSION ['authed'] == true,关闭浏览器,打开浏览器,然后再次转到该站点,它仍然显示authed = true。 Now, I DO understand that the session variables are stored on the webserver, not in the browser's cache. 现在,我确实知道会话变量存储在Web服务器上,而不是浏览器的缓存中。 However, I can't see the big picture enough to know the right way to go about this. 但是,我对全局没有足够的了解,无法知道解决此问题的正确方法。
1 个解决方案
解决方案1
1 已采纳 2014-07-27 14:46:24
I thought to do something like
$_SESSION['authed']==true, and every page load would check the session value$_SESSION['authed']==true事情,并且每个页面加载都会检查会话值
Yes, that's what you do. 是的,那就是你要做的。
but I suspect that isn't a very secure way to go about this
It's perfectly fine. 很好 You establish a session, which means you send a unique cookie to the user. 建立会话,这意味着您将唯一的cookie发送给用户。 That is your security. 那是您的安全。 The fact that you have a session at all is your security. 您完全可以参加会议是您的安全。 Then you simply record the fact whether the user is "logged in" or not in that session. 然后,您只需记录用户是否在该会话中“登录”这一事实。
I have observed that if I set
$_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true.$_SESSION['authed']==true,请关闭浏览器,打开浏览器,然后再次转到该站点,它仍然显示authed = true。
Yes, cookies don't necessarily expire when the browser is closed. 是的,关闭浏览器后,cookie不一定会过期。 Each cookie has a specified expiration time, they can persist however long you want. 每个Cookie都有指定的到期时间,可以根据需要保留多长时间。 Even cookies without an expiration time aren't necessarily immediately discarded when the browser is closed. 关闭浏览器时,即使没有到期时间的cookie也不一定会立即被丢弃。 That may have been the default behaviour of browsers a few years ago, but isn't necessarily true anymore. 几年前,这可能是浏览器的默认行为,但不再是事实。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.