Cookie和存储中的PHP会话ID
[英]PHP session id in cookie and storage
问题描述
I've read multiple comments about encrypting PHP session data, in case it is stored in a temp directory that is available on multiple accounts on a shared server. 
我已经阅读了许多有关加密PHP会话数据的评论,以防将其存储在共享服务器上多个帐户上可用的临时目录中。 However, even if the data is encrypted, session_start() still generates filenames containing the session_id. 但是,即使数据已加密,session_start()仍会生成包含session_id的文件名。 For example, 例如,
sess_uivrkk2c5ksnv2hnt5rc8tvgi5
, where uivrkk2c5ksnv2hnt5rc8tvgi5 is the same session id I found in the cookie my browser received. ,其中uivrkk2c5ksnv2hnt5rc8tvgi5是我在浏览器收到的Cookie中找到的相同会话ID。
How is this problem typically addressed / could someone point me to an example? 通常如何解决此问题/有人可以给我指出一个例子? All of the simple examples I've found only address encrypting the data, not changing the filename. 我发现的所有简单示例都仅对数据加密,而不更改文件名。
Just to see what would happen, I made a SessionHandler wrapper that would do an MD5 hash on the $session_id variable before passing it on to its parent function, but that did not work. 我只是想看看会发生什么,所以我做了一个SessionHandler包装器,该包装器将$ session_id变量传递给MD5哈希之后再传递给它的父函数,但这没有用。 Instead, I ended up with two files: a blank one (with session_id as a part of its name) and a full one (with an MD5'ed session_id). 相反,我最终得到了两个文件:一个空白文件(其中session_id作为其名称的一部分)和一个完整文件(具有MD5的session_id)。 Also, there was the problem of close() not accepting session_id as a parameter, so I couldn't pass it on to its parent. 此外,还有close()不接受session_id作为参数的问题,因此我无法将其传递给其父级。
EDIT: I 'm learning about php sessions, this isn't for a live commercial site, etc. 编辑:我正在学习有关php会话,这不是一个实时的商业网站,等等。
1 个解决方案
解决方案1
0 已采纳 2015-01-14 00:00:59
Yes, in some scenarios (ie a very incompetently configured server - although these do unfortunately exist) on a shared server your session data may be readable by other people. 是的,在某些情况下(例如,配置非常差的服务器-尽管不幸的是确实存在),共享服务器上的会话数据可能被其他人读取。 Trying to hide the session files by changing their names serves no useful purpose - this is described as "Security through Obscurity". 试图通过更改会话文件的名称来隐藏会话文件没有任何用处-称为“通过隐蔽性进行安全性”。 Go and Google the phrase - it is usually described as an oxymoron. Go和Google这个词组-通常被描述为矛盾词。
If your question is how do you prevent other customers accessing your session data on a badly configured server then the sensible choices (in order of priority) are: 如果您的问题是如何防止其他客户在配置错误的服务器上访问您的会话数据,那么明智的选择(按优先级顺序)是:
- switch service provider 交换服务提供商
- use a custom session handler to store the data somewhere secure (eg database) There are lots of examples on the web - quality varies 使用自定义会话处理程序将数据存储在安全的地方(例如数据库),网络上有很多示例-质量各不相同
- use a custom session handler to encrypt the data and use file storage. 使用自定义会话处理程序来加密数据并使用文件存储。 Again you don't need to write the code yourself - just scrutinize any candidates 同样,您不需要自己编写代码-只需仔细检查所有候选者
If you want to find out if your provider might be a culprit - just have a look at the value of FILE . 如果要确定您的提供者是否是罪魁祸首-只需看一下FILE的值即可。 Does it look as if you have access to the root filesystem? 看起来好像您有权访问根文件系统? Write a script which tries to read from outside your home directory. 编写一个脚本,尝试从您的主目录外部读取。 If you can't then the provider may have set an open_basedir restriction (it is possible to get around this - again Google will tell you how). 如果您不能这样做,则提供程序可能设置了open_basedir限制(可以解决此问题-Google会再次告诉您如何操作)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.