堆栈内存溢出
  简体   繁体   English

PHP中身份验证的最佳方式

[英]Best way for authentication in PHP

 原文  2009-01-24 10:14:59       php/ model-view-controller/ authentication/ remember-me

问题描述

What's the best and most secure way to go when writing an authentication library in a model-view-controller way? 在模型 - 视图 - 控制器方式中编写身份验证库时,最好和最安全的方法是什么?

The things that give me a hard time are keeping track of the users activity and remembering users via a cookie or storing sessions in the database? 让我困难的事情是跟踪用户活动并通过cookie记住用户或在数据库中存储会话?

Thanks in advance :). 提前致谢 :)。

2 个解决方案

解决方案1
 4  2009-01-24 12:03:20

If you want to use sessions, you have secure them against attacks like session fixation and session hijacking . 如果您想使用会话,则可以保护它们免受会话固定会话劫持等攻击。

To prevent both you have to ensure that only authenticated requests are allowed to use the session. 要防止这两种情况,您必须确保只允许经过身份验证的请求才能使用该会话。 This is commonly done by chaining as many specific (possibly unique) informations about the client as possible with the session. 这通常通过在会话中尽可能多地链接有关客户端的特定(可能是唯一的)信息来完成。 But as some informations may change on every request (like the IP address), it can be difficult to find good one. 但是由于某些信息可能会在每个请求(如IP地址)上发生变化,因此很难找到好的信息。
This is why it is useful to use the method denoted as Trending . 这就是使用表示为趋势的方法很有用的原因。

Another good protection measure is to swap the session ID periodically. 另一个好的保护措施是定期交换会话ID。 Thus the period for an attack on a valid session ID is smaller. 因此,攻击有效会话ID的时间段较短。

解决方案2
 3  2009-01-24 10:27:32

The simplest way to implement it is with PHP SESSIONS. 实现它的最简单方法是使用PHP SESSIONS。

just session_start (); 只是session_start(); near the beginning of your script and you have access to the $_SESSION global array for holding your authentication data. 在脚本开头附近,您可以访问$ _SESSION全局数组来保存身份验证数据。

Depending on the configuration of your server all the data stored in $_SESSION will only be available on the server from which it is hosted (with few exceptions). 根据服务器的配置,存储在$ _SESSION中的所有数据仅在托管它的服务器上可用(除少数例外)。 You can configure it to be saved in a temporary directory, in memcached, or even a database. 您可以将其配置为保存在临时目录,memcached或数据库中。

The only thing that is transmitted between the client and your server is a "session key". 客户端和服务器之间唯一传输的是“会话密钥”。 The key can be passed by cookie or URL-rewrites (which are transparently handled by the start_session output buffer). 密钥可以通过cookie或URL重写传递(由start_session输出缓冲区透明地处理)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP-CRUD-API - 身份验证的最佳方式 - PHP-CRUD-API - best way for authentication 什么是在PHP中进行用户身份验证的最佳方式? - Whats the best way to do user authentication in php? 允许通过PHP中的cookie对站点进行身份验证的最佳方法? - Best way to allow authentication to a site from a cookie in PHP? PHP身份验证最佳做法...? - php authentication best practice…? 使用 Facebook PHP SDK Z2FEC392304A5C23AC138DA2284 Z2FEC392304A5C23AC138DA2284 特别在 ZendC 网站 77FB9 - Best way for using Facebook PHP SDK in PHP website for authentication Specially in Zend 与Oracle结合使用PHP的最佳方法? - Best way of PHP with Oracle? 在PHP中做到这一点的最佳方法 - Best way to doing this in php 使用REST / JSON / PHP / AJAX跨域安全处理身份验证检查的最佳方法是什么 - What is the best way to securely process authentication checks Cross domain using REST/JSON/PHP/AJAX PHP缓存的最佳方法 - The best way of PHP Caching 使apache在无效htdigest(http身份验证)登录名上发出php脚本的最佳方法? - best way to have apache signal a php script on invalid htdigest (http authentication) logins?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM