PHP 中身份验证的最佳方法
以模型-视图-控制器的方式编写身份验证库时,最好、最安全的方法是什么?
让我感到困难的是跟踪用户活动并通过 cookie 记住用户或将会话存储在数据库中?
提前致谢 :)。
What's the best and most secure way to go when writing an authentication library in a model-view-controller way?
The things that give me a hard time are keeping track of the users activity and remembering users via a cookie or storing sessions in the database?
Thanks in advance :).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您想使用会话,则必须确保它们免受会话固定<等攻击/strong> 和会话劫持。
为了防止这两种情况发生,您必须确保仅允许经过身份验证的请求使用会话。 这通常是通过将尽可能多的有关客户端的特定(可能是唯一的)信息与会话链接起来来完成的。 但由于每次请求时某些信息可能会发生变化(例如 IP 地址),因此很难找到好的信息。
这就是为什么使用 Trending< 表示的方法很有用。 /a>.
另一个好的保护措施是定期交换会话 ID。 因此,对有效会话ID的攻击周期更短。
If you want to use sessions, you have secure them against attacks like session fixation and session hijacking.
To prevent both you have to ensure that only authenticated requests are allowed to use the session. This is commonly done by chaining as many specific (possibly unique) informations about the client as possible with the session. But as some informations may change on every request (like the IP address), it can be difficult to find good one.
This is why it is useful to use the method denoted as Trending.
Another good protection measure is to swap the session ID periodically. Thus the period for an attack on a valid session ID is smaller.
最简单的实现方法是使用 PHP SESSIONS。
只是session_start(); 在脚本开头附近,您可以访问 $_SESSION 全局数组来保存您的身份验证数据。
根据服务器的配置,存储在 $_SESSION 中的所有数据仅在托管它的服务器上可用(除了少数例外)。 您可以将其配置为保存在临时目录、memcached 甚至数据库中。
客户端和服务器之间传输的唯一内容是“会话密钥”。 密钥可以通过 cookie 或 URL 重写传递(由 start_session 输出缓冲区透明地处理)。
The simplest way to implement it is with PHP SESSIONS.
just session_start (); near the beginning of your script and you have access to the $_SESSION global array for holding your authentication data.
Depending on the configuration of your server all the data stored in $_SESSION will only be available on the server from which it is hosted (with few exceptions). You can configure it to be saved in a temporary directory, in memcached, or even a database.
The only thing that is transmitted between the client and your server is a "session key". The key can be passed by cookie or URL-rewrites (which are transparently handled by the start_session output buffer).