堆栈内存溢出
  简体   繁体   English

在php中利用会话进行身份验证的正确方法是什么?

[英]What is the proper way to utilise sessions for authentication in php?

 原文  2014-08-17 06:50:26       php/ security/ session/ authentication/ login

问题描述

Currently what I do is store the user's username after a sucessful login into a session variable. 当前,我要做的是在成功登录会话变量后存储用户的用户名。 

$_SESSION['session_loggedin'] = $post_username;

post_username is the POST from the submit form. post_username是提交表单中的POST。

Then i use this session variable to check if it is set, to see if a user is logged in. I use the value of this variable to show user-specific content. 然后,我使用此会话变量来检查它是否已设置,以查看用户是否登录。我使用此变量的值来显示用户特定的内容。 

                <?php
                if (isset($_SESSION['session_loggedin'])) {
                    ?>
                        <a href="logout.php">LOGOUT</a>
                     <?php
                }
            ?>

Is this how sessions are meant to be used? 这是会话的使用方式吗? Is this a right way to securely show content? 这是安全显示内容的正确方法吗? How do I prevent hijacking? 如何防止劫持?

Thanks 谢谢

2 个解决方案

解决方案1
 0  2014-08-17 07:00:00

You're almost there! 你快到了! But you are supposed to store the user's id on session. 但是您应该在会话中存储用户的ID。 You query the database where username is equal to post username and password is equal to post password, the count the number of rows return! 您查询的数据库中,用户名等于发布用户名,密码等于发布密码,计算返回的行数! From there you store the user's id on session. 从那里,您存储会话的用户ID。

解决方案2
 0  2014-08-17 07:00:44

To see how PHP sessions are used please go to: http://www.w3schools.com/php/php_sessions.asp . 要查看如何使用PHP会话,请访问: http : //www.w3schools.com/php/php_sessions.asp No since i could go onto your other pages (assuming you have some) and insert a username ie if John Smith Logged in with a Password:password thats fine but i could go onto you website and put John Smith as $_SESSION['session_loggedin'] and be away with his account. 否,因为我可以进入您的其他页面(假设您有一些页面)并输入用户名,即如果John Smith使用Password:password登录就可以了,但是我可以进入您的网站并将John Smith设置为$_SESSION['session_loggedin']然后离开他的帐户。 You may ask but how will he know about $_SESSION['session_loggedin'] if he is smart he would create a user and capture the sessions and see what he needs to input to gain control of another account. 您可能会问,但是他怎么会知道$_SESSION['session_loggedin']如果他很聪明,他将创建一个用户并捕获会话并查看他需要输入什么才能获得对另一个帐户的控制权。 Instead of a username i would recommend a hashcode! 而不是用户名,我会推荐一个哈希码!

See this for hijacking: What is the best way to prevent session hijacking? 劫持行为见此: 防止会话劫持的最佳方法是什么?

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在php中设置会话的正确方法是什么? - What is the proper way to setup your sessions in php? 什么是处理会话和身份验证的“完全正确的面向对象”方法? - What is a “pretty and proper OO” way for handling sessions and authentication? 通过会话登录-正确的方法是什么? - Logging in via sessions - what is the proper way? 正确使用PHP会话 - Proper usage of PHP Sessions 使用身份验证保护CodeIgniter 2应用程序的正确方法是什么? - What is proper way to secure CodeIgniter 2 application with authentication? 在php中串联的正确方法是什么 - What is the proper way to concatenate in php PHP会话变量和身份验证 - PHP Sessions Variables & Authentication PHP API身份验证和会话 - PHP API authentication and sessions 嵌套PHP脚本的正确方法是什么? - What is the proper way to nest PHP scripts? 在php中声明变量的正确方法是什么? - What is the proper way to declare variables in php?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM