为什么随机重新生成会话ID?
[英]Reason to Randomly Regenerate Session ID?
问题描述
Is this good practice? 
这是好习惯吗? I've never seen it done before but it works well so far. 我以前从未见过它完成,但到目前为止效果很好。
if(mt_rand(1, 10) == 1) { # regenerate "randomly" on 10% of requests
session_regenerate_id();
}
Thanks. 谢谢。 :) :)
1 个解决方案
解决方案1
1 已采纳 2012-11-13 19:29:17
I think for whatever proper reason or context you would regenerate the session ID, you should do it every time, not just sometimes randomly (in your case a 10% basis). 我认为,出于适当的原因或上下文,您将重新生成会话ID,您应该每次都这样做,而不仅是有时是随机的(在您的情况下为10%)。 I don't see how doing it every time is bad practice (correct me if I'm wrong, I'd be curious as why). 我不认为每次都这样做是不好的做法(如果我错了,请纠正我,我很好奇为什么)。 If someone has hacked a session, then regenerating the ID will cause "hacker" to lose their hacked session. 如果有人入侵了一个会话,则重新生成ID将导致“黑客”失去他们被入侵的会话。 If you only regenerate the ID 10% of the time, then there is a 90% chance they will still maintain their hacked session. 如果您仅在10%的时间内重新生成ID,则他们仍有90%的机会仍会保持其被黑客入侵的会话。 No beuno. 没有贝诺
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.