stackoom
  简体   繁体   中英

What is $_SESSION and how do i secure SESSION name in PHP

 原文  2016-03-31 04:28:57       php/ session

Question

my SESSION starts after sucessesfull login and i really don't know how safe is my SESSION value

My SESSION value is user name and here is my code

<?php
require_once('includes/config.php');
if ($user->is_logged_in()) {
    header('Location: signup.php');
}
if (isset($_POST['submit'])) {
    $username = filter_input(INPUT_POST, 'username');
    $password = filter_input(INPUT_POST, 'password');
    if ($user->login($username, $password)) {
        $_SESSION['username'] = $username;
        header('Location: index.php');
        exit;
    } else {
        $error[] = 'Wrong username or password or your account has not been activated.';
    }
}
?>

Here is my function

private function get_user_hash($username){  
        try {
            $stmt = $this->_db->prepare('SELECT password FROM members WHERE username = :username AND active="Yes" ');
            $stmt->execute(array('username' => $username));
            $row = $stmt->fetch();
            return $row['password'];
        } catch(PDOException $e) {
            echo '<p class="bg-danger">'.$e->getMessage().'</p>';
        }
    }
    public function login($username,$password){
        $hashed = $this->get_user_hash($username);
        if($this->password_verify($password,$hashed) == 1){
            $_SESSION['loggedin'] = true;
            return true;
        }   
    }

Now i need to know how safe is my $_SESSION

and how do i secure my $_SESSION value

1 answers

solution1
 1 ACCPTED  2016-03-31 04:42:47

First, it is valuable to have a deeper understanding of how sessions work in PHP. When you run session_start() , PHP registers an ID for the current visitor and allows you to start storing/receiving information linked to the session ID, for example:

session_start(); // Registered visitor ID on server "B3D4IUC86"
$_SESSION['password'] = "test1234"; // Stores password for visitor "B3D4IUC86"
echo $_SESSION['password']; // Retrieves 'password' index for visitor "B3D4IUC86"

It is best practice not to store secure/unencrypted data directly on the user's machine as this data can be intercepted in transfer or accessed directly. Rather, store an ID which you can lookup on your machine(s) and find the information internally. This will also (slightly) increase network transfer speeds as you are not transferring all data, but only a simple ID which you can lookup.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I get secure AuthSub session tokens in PHP? What is a good and secure session name? PHP how to start a secure session How do I echo the session name in a foreach loop in PHP? How do i know what unixtime a php session will expire? what is the efficient way to secure a session variable in php? How do I set Session name with Cherrypy? Is Php session data secure? PHP secure Session Check? PHP Secure Session
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM