简体繁体 English

存储会话以在成员区域中使用

[英]Storing session for use in members area

原文 2011-10-20 19:11:33 4 4 php/ session/ login

I have created a registration/login system for my members area. 我为我的会员区创建了一个注册/登录系统。 Once the user has logged in I want to store a session variable that I can use to retrieve data associated to the user from the database. 一旦用户登录，我想存储一个会话变量，我可以用它从数据库中检索与用户相关的数据。

Should I in encrypt the variable in any way? 我应该以任何方式加密变量吗？ The data I want as a variable will either be the username or the id, which is best? 我想要作为变量的数据将是用户名还是id，哪个最好？

Should session ids be regenerated in anyway and when?? 会话ID是否应该以任何方式重新生成？

4 个解决方案

会话中的数据存储被认为是“安全的”，因此您不需要加密 - 解密它。

Session IDs are stored like a cookie on the client's machine, and are passed back to the server for every single request. 会话ID在客户端的计算机上像cookie一样存储，并且会针对每个请求传递回服务器。 This is how PHP determines what information to load into a session once it receives the request. 这就是PHP在收到请求后确定要加载到会话中的信息的方式。

Since sessions live on the server and not on the client, you only need to worry about session hijacking in regards to whether the information stored in them is secure or not. 由于会话存在于服务器上而不是客户端上，因此您只需要担心会话劫持是否存储在其中的信息是否安全。 The answer to your question is no, I would not try to encrypt the information that is stored in session. 你的问题的答案是否定的，我不会尝试加密会话中存储的信息。

You should regenerate your session id after a successful login/logout. 成功登录/注销后，您应该重新生成会话ID。 For security reasons, I would reccomend to ask the user for his password if he want's to perform a critical action (changing important data, deleting account or submit an order for example). 出于安全原因，如果他想要执行关键操作（更改重要数据，删除帐户或提交订单），我建议询问用户他的密码。

As AurimasL stated, you don't have to worry about session data on the server side. 正如AurimasL所说，您不必担心服务器端的会话数据。 I reccomend this reading, if you are on a shared host, because then there are some security aspects: http://phpsec.org/projects/guide/5.html 如果你在共享主机上，我推荐这个阅读，因为那时有一些安全方面： http ： //phpsec.org/projects/guide/5.html

Just an add in the comments bellow, 只是在下面的评论中添加，

Keep in mind that creating a sessions are expensive for your server app. 请记住，为您的服务器应用创建会话非常昂贵。 Sometimes is a good idea stores the id in the session and other informations in cookies (informations that dont need security as the username). 有时候将id存储在会话中以及cookie中的其他信息（不需要安全性作为用户名的信息）是一个好主意。