使用 $_SESSIONS 设置用户 ID 和 PASS
设置用户 ID 并传递给会话是否存在安全风险?如果是这样怎么办? 会话变量将位于包含的文件中。我知道这不会允许其他用户登录,但我只有一个用户登录。
****CONFIG.PHP****
session_start();
$_SESSION['USER'] = 'USERNAME';
$_SESSION['PASS'] = 'PASSWORD';
****LOGIN.PHP****
include ('config.php');
IF ($_SESSION['USER'] == $_POST['USERNAME'] &&
$_SESSION['PASS'] == $_POST['PASSWORD']){
ALLOW ACCESS;
}
Would it be a security risk to set the user id and pass to a session? If so how?
The session vars would be in an included file. I understand that this would not allow other users, but I only have one user to log in.
****CONFIG.PHP****
session_start();
$_SESSION['USER'] = 'USERNAME';
$_SESSION['PASS'] = 'PASSWORD';
****LOGIN.PHP****
include ('config.php');
IF ($_SESSION['USER'] == $_POST['USERNAME'] &&
$_SESSION['PASS'] == $_POST['PASSWORD']){
ALLOW ACCESS;
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
如果您使用最终用户无论如何都无法修改的服务器端会话,则没有理由将密码存储在那里。这只是服务器上密码存在的另一个地方。一旦您验证了它是有效用户并且密码正确,您只需将其用户 ID 存储在会话中即可。他们无法更改它,因此您始终可以相信这实际上是他们的用户 ID。
会话劫持的风险始终存在,但这是另一个话题了。
至于你的代码,你误解了会话。您可以在验证用户输入后设置这些内容。
然后您可以测试是否设置了
$_SESSION['username']。如果是,那么您就知道您已登录。If you're using server-side sessions which can't be modified by the end-user anyways, there is no reason to store the password there. It's just another place the password exists on your server. Once you've validated the it is a valid user and the password is correct, you only really need to store their user ID in the session. There's no way they can change it, so you can always trust that it's actually their user ID.
There's always the risk of session hijacking, but that's a different topic.
As for your code, you're misunderstanding sessions. You set those after you've validated the user input.
Then you can just test to see if
$_SESSION['username']is set. If it is, then you know you're logged in.您不应该在会话中保护密码。如果操作正确,会话数据就无法从外部进行操作,因此当设置用户名时,您就知道该用户是合法的。
You should not safe the password in the session. The session-data cannot be manipulated from outside if you do it right, therefore you know the user is legit when the username is set.
这不会造成安全风险,但它绝对不允许扩展。如果明天需要允许两个用户,则必须重新构建登录架构。
而且,如果您只允许一名用户,为什么要使用会话来存储您要比较的值?你可以这样做
Config.php
然后,在 login.php
It wouldn't be a security risk, but it would allow ABSOLUTELY NO expansion at all. If you need to allow two users tomorrow, you'll have to re-architecture the login.
And, if you're only allowing one user, why use the session to store the values you're comparing against? You can just do this
Config.php
And then, in login.php
正如您的脚本名称
CONFIG.PHP所示,用户名和密码是配置数据。会话用于存储属于特殊用户会话的数据。存储配置数据的一个好习惯是使用常量,因为一旦定义它们,您的程序就无法更改它们。CONFIG.PHP
登录.PHP
WHATEVER.PHP
Like your script name
CONFIG.PHPindicates, the usernames and passwords are configuration data. A session is for storing data belonging to a special user session. A good practice for storing configuration data is to use CONSTANTS, because they cannot be changed by your program, once they are defined.CONFIG.PHP
LOGIN.PHP
WHATEVER.PHP
会话注入可能会窃取另一个用户的会话并获取他/她的密码。即使您使用的是加盐的文本而不是明文,这也不是真正值得推荐的。
更好的方法是实现一个好的算法,当用户执行需要特殊许可才能执行的操作时,经常重新检查用户是否有效。
处理时间和类似的事情对我来说应该比良好的安全性更重要!
哈利
Session injection could possibly steal another users Session and get his/hers password. Even if you are using a salted has instead of cleartext, this ist not really recommentable.
A better way would be to implement a good algorithm, rechecking if the user is valid as often as he does something he needs special permission to do it.
Processing time and things like that should me less important than good security!
Harry