简体繁体 English

PHP会话验证-最佳实践

[英]PHP Session Validation - Best Practices

原文 2011-02-10 16:08:26 8 4 php/ validation/ session

I have a database in which I store session ID's once they have been validated to a user. 我有一个数据库，一旦将会话ID验证给用户，就会在其中存储会话ID。

From a security standpoint, should I be checking the session ID against the session ID stored in the database for every protected page being accessed? 从安全角度来看，我是否应该针对存储在每个受保护页面中的数据库存储的会话ID来检查会话ID？

If I do not do this, wouldn't it be possible for someone to hijack the validated session ID, and do a post with the necessary variables to access restricted pages? 如果我不这样做，那么有人无法劫持经过验证的会话ID，并在帖子中添加必要的变量来访问受限制的页面吗？

From a performance standpoint - if I should be checking the session ID against the database for every request, would it be significantly more efficient to store validated session ID's in their own text files instead of making so many database queries? 从性能的角度来看，如果我应该针对每个请求针对数据库检查会话ID，那么将经过验证的会话ID存储在自己的文本文件中而不是进行大量数据库查询会更有效吗？

Thanks in advance. 提前致谢。

4 个解决方案

Yes, you should check the session ID on every request. 是的，您应该检查每个请求的会话ID。 It's still possible for session hijacking to occur, although a rolling session ID would help mitigate this (ie change the session ID on each request). 会话劫持仍然有可能发生，尽管滚动会话ID可以帮助缓解这种情况（即，在每个请求上更改会话ID）。

It would not be more efficient to validate session IDs in a text file versus a database if your RDBMS supports results caching (MySQL calls this query caching). 如果您的RDBMS支持结果缓存（MySQL称为此查询缓存），则与数据库相比，在文本文件中验证会话ID效率将更高。

If your query just verifies the existence of a session id like SELECT COUNT(session_id) FROM sessions WHERE session_id = ? 如果您的查询只是验证会话ID的存在，例如SELECT COUNT(session_id) FROM sessions WHERE session_id = ? (you are using parametrised queries to prevent SQL injection, right?) then this may be cached (although MySQL may not do so in versions earlier than 5.1.17). （您正在使用参数化查询来防止SQL注入，对吗？）然后可以将其缓存（尽管MySQL在5.1.17之前的版本中可能不会这样做）。

If/when there is no cache, the lookup should not cause any issues. 如果/当没有缓存时，查找不会引起任何问题。 Switching to an in-memory table at that point may be a good idea. 此时切换到内存表可能是一个好主意。

About security: 关于安全性：
You describe the hijack risk yourself quite well. 您对劫机风险的描述很好。 More important is the question of how likely this would happen and how sensitive your site / data is. 更重要的问题是这种情况发生的可能性以及您的网站/数据的敏感程度。

Now if someone takes over the pc of a registered user who didn't destroy the session (log off), how would you determine this? 现在，如果有人接管了未破坏会话（注销）的注册用户的个人计算机，您将如何确定呢？ And why / how should the session ID change and still be valid? 以及为什么/应该如何更改会话ID并仍然有效？
It would probably be better to check the identity of the caller by accessing a cookie, checking the ip (on ip change re-logon), ... 最好通过访问cookie，检查ip（在ip更改重新登录时），...来检查呼叫者的身份。

About performance: 关于效果：
In general a text file query should take much longer than a database query, since the text file is almost always a file system / storage query, while the database query will often be in memory (cached). 通常，文本文件查询应该比数据库查询花费更长的时间，因为文本文件几乎总是文件系统/存储查询，而数据库查询通常将在内存中（缓存）。
Think of your database as another software program running in the background - it's basically instantly accessible if it runs on the same server. 可以将数据库视为在后台运行的另一个软件程序-如果它在同一服务器上运行，则基本上可以立即访问。

-> Correct me if I'm wrong... ->如果我错了请纠正我...

From a security standpoint, should I be checking the session ID against the session ID stored in the database for every protected page being accessed? 从安全角度来看，我是否应该针对存储在每个受保护页面中的数据库存储的会话ID来检查会话ID？

If I do not do this, wouldn't it be possible for someone to hijack the validated session ID, and do a post with the necessary variables to access restricted pages? 如果我不这样做，那么有人无法劫持经过验证的会话ID，并在帖子中添加必要的变量来访问受限制的页面吗？

Yes, and you'll probably want to include some additional information in your database - eg last time accessed, ip address. 是的，您可能希望在数据库中包含一些其他信息，例如，上次访问的IP地址。

Generaly speaking checking and regenerating ID session occurs when you change status of user. 一般而言，更改用户状态时会进行检查和重新生成ID会话。 IE : user X get the admin access : You must check is session id before grant access and you regenerate a new id after the operation. IE：用户X获得管理员访问权限：您必须在授予访问权限之前检查会话ID，并在操作后重新生成新ID。