在 PHP $_SESSION 中存储数据是否不安全?
[英]Is storing data in PHP $_SESSION insecure?
问题描述
As per my understanding, PHP processes doesn't behave as application server process.
据我了解,PHP 进程的行为不像应用程序服务器进程。 So, after the execution of a script the PHP process retains no user specific data.因此,在执行脚本后,PHP 进程不会保留用户特定数据。 It instead stores them in the user's cookie.而是将它们存储在用户的 cookie 中。 So whatever we store in $_SESSSION goes into cookies.所以我们存储在$_SESSSION中的任何东西都会进入 cookies。 Is this true?这是真的? If yes then are they stored in clear text or some encoding or encryption is done?如果是,那么它们是以明文形式存储还是进行了某种编码或加密?
4 个解决方案
解决方案1
7 已采纳 2011-08-15 20:56:37
No, the only thing that goes into the session cookie is the ID of the session - a random alphanumeric string.不,进入 session cookie 的唯一内容是 session 的 ID - 一个随机字母数字字符串。 All the session data is stored on the server in a file (using the default session handler, though you can override to store the data anywhere/any way you want).所有 session 数据都存储在服务器上的一个文件中(使用默认的 session 处理程序,尽管您可以覆盖以将数据存储在任何地方/任何您想要的方式)。
解决方案2
6 2011-08-15 20:56:27
No, that is not true.不,那不是真的。 Only the session's ID is stored in the session cookie.只有会话的 ID 存储在 session cookie 中。 The session data is all stored server-side (albeit in plain text, by default). session 数据全部存储在服务器端(尽管默认情况下是纯文本)。
解决方案3
3 2011-08-15 20:57:47
The 'cookie' that is stored on a client computer is a session id.存储在客户端计算机上的“cookie”是 session id。 The 'session' itself resides on the server. “会话”本身驻留在服务器上。 When a page is requested during a session, the session id is appended to the query string which lets the server know what session to load for this request.当在 session 期间请求页面时,session id 将附加到查询字符串,让服务器知道要为该请求加载什么 session。
Unless the session id is stolen (and the session 'hijacked'), sessions are secure.除非 session id 被盗(并且 session 被“劫持”),否则会话是安全的。 You can protect against this (somewhat) by storing the IP Address and the User Agent String that created the session in the session and comparing these against the requesting IP Address and User Agent string for each page access. You can protect against this (somewhat) by storing the IP Address and the User Agent String that created the session in the session and comparing these against the requesting IP Address and User Agent string for each page access. Just remember that these rely on HTTP headers and can be spoofed.请记住,这些依赖于 HTTP 标头并且可以被欺骗。
解决方案4
0 2011-08-15 20:57:39
The cookies are just identifiers store in the client. cookies 只是存储在客户端中的标识符。 These are given to the server with each HTTP request.这些通过每个 HTTP 请求提供给服务器。 The server then matches the cookie identifier with stored data and retrieves the correct values for $_SESSION.然后,服务器将 cookie 标识符与存储的数据进行匹配,并为 $_SESSION 检索正确的值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.