使用会话ID作为密钥的PHP Mycrypt
[英]php mycrypt using session id as key
问题描述
I successfully use mycrypt to encrypt id's in an admin panel as they are often seen in the URL. 
我成功地使用mycrypt来加密管理面板中的ID,因为它们经常出现在URL中。 I have previously added a key manually as I code, but this time I plan to use the users account id which is kept in a session. 我以前在编写代码时手动添加了密钥,但是这次我计划使用会话中保留的用户帐户ID。 Is this a good way, or should I keep with a fixed key throughout the site. 这是个好方法,还是我应该在整个站点上都保持固定的密钥。
Thanks 谢谢
1 个解决方案
解决方案1
0 2014-10-30 21:37:17
Never pass SESSION IDs over URLs, even if encrypted (though it's weird and still quite unsafe). 即使已加密,也不要通过URL传递SESSION ID(尽管这很奇怪而且仍然很不安全)。 Transferring SESSION IDs has been deprecated long time ago by PHP (session.use_trans_id=0). 很久以前,PHP(session.use_trans_id = 0)不建议使用传输SESSION ID。 Session ID is transferred automatically by browser, you don't need to take care of it at all. 会话ID是由浏览器自动传输的,您完全不必理会。
The only use case might be if you want forcibly allow browsers with disabled cookies, then you would need to append such a parameter to all links (mimicking deprecated bahaviour). 唯一的用例可能是,如果您要强制允许具有禁用Cookie的浏览器,那么您需要在所有链接后附加这样的参数(模仿不推荐使用的行为)。 However: 然而:
- it would be still great security risk, since mostly attackers and malicious webbots disable cookies, 仍然会有很大的安全风险,因为大多数攻击者和恶意网络机器人都会禁用Cookie,
- encrypting in any ways makes no sense coz string can be still hijacked and server will decrypt into original session ID 以任何方式加密都没有意义,因为仍然无法劫持coz字符串,服务器将解密为原始会话ID
So you just pull out userID stored in session and don't worry about transferring session ID over URL. 因此,您只需拉出存储在会话中的用户ID,就不必担心通过URL传输会话ID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.