简体繁体 English

没有会话的PHP用户认证教程

[英]PHP user authentication tutorial without sessions

原文 2012-02-13 02:21:51 9 3 php/ cookies/ authentication

I need to build my own system for part of a computer security project without using php sessions (just cookies) and im just lost. 我需要为计算机安全项目的一部分构建我自己的系统，而不使用php会话（只是cookie），我只是丢失了。 All the tutorials ive found use sessions (for good reason) so I was wondering if anyone knew of a roll your own php user authentication tutorial. 我找到的所有教程都使用会话（有充分的理由）所以我想知道是否有人知道你自己的php用户身份验证教程。

3 个解决方案

You could basically implement something session like yourself. 您基本上可以实现像您一样的会话。

This would include the following tasks: 这包括以下任务：

generate a random session id for new users (or on login - based on the exact use...) 为新用户生成随机会话ID（或登录时 - 基于确切用途......）
save it into a cookie 将其保存到cookie中
do save additional session inforamtion somewhere on the server together with the session id (eg in a database table) 在会话ID的某处保存额外的会话信息（例如在数据库表中）
on subsequent page accesses check the session id in the cookie versus the data on the webserver to identify users and grant access 在后续页面访问中，检查cookie中的会话ID与Web服务器上的数据，以识别用户和授予访问权限

However it should be mentioned that a cookie only based solution is never that good. 但是应该提到的是，基于cookie的解决方案永远不会那么好。 If a client for example doesn't have cookies enabled it won't work at all. 例如，如果客户端没有启用cookie，则根本不起作用。 A possible solution for this is to send the session id as GET parameter with every internal link if cookies are not enabled. 对此可能的解决方案是，如果未启用cookie，则将会话ID作为GET参数发送到每个内部链接。

Sessions would make it much easier. 会话会让事情变得更容易。 That being said, where are you getting stuck mate? 话虽这么说，你在哪里遇到伴侣？

To get started using Cookies in PHP, check this out: http://www.w3schools.com/php/php_cookies.asp 要开始在PHP中使用Cookie，请查看以下内容： http ： //www.w3schools.com/php/php_cookies.asp

You could either 你可以

implement your own Session handling as s1lence suggests (which might be exactly what the professor wants you to do) or 如s1lence所建议的那样实现你自己的会话处理（这可能正是教授希望你做的）或者
implement your own Session handling through appending the session id to the QueryString (making it work for non-cookie browsers) or 通过将会话ID附加到QueryString（使其适用于非cookie浏览器）或。来实现您自己的会话处理
you could store the user/password pair in cookies (which would force you to reauthenticate the user for every request) 您可以将用户/密码对存储在cookie中（这会强制您为每个请求重新验证用户）

I wouldn't recommend the latter, but if it's all about avoiding the Session Mechanism it's an option I guess. 我不推荐后者，但如果它是关于避免会话机制的话，我猜是一个选项。 And a last remark, if this doesn't have something to do with understanding why Session is important you should really question your teachers task.. ;) 最后一句话，如果这与理解为什么会话很重要没有关系，你应该真的质疑你的老师的任务..;）

You should not use cookie for such system in cause cookie are stored on the client side. 您不应该将Cookie用于此类系统，因为Cookie存储在客户端。 And any one can change it. 任何人都可以改变它。 Sessions are stored on the server side and only you can change it (also other system users can change it if they have directory access or db access if you store sessions in db). 会话存储在服务器端，只有您可以更改它（如果他们具有目录访问权限，其他系统用户也可以更改它，如果您在db中存储会话，则可以更改它）。 If you strongly need to use cookie you can encrypt login/password can write to cookie, but the using of sessions is more safely. 如果您非常需要使用cookie，您可以加密登录/密码可以写入cookie，但会话的使用更安全。