Php 会话数据安全吗?
我们假设使用会话参数将一些经过验证的数据从一个 PHP 页面传递到另一个 PHP 页面。
我如何确定在第二个 php 页面上,该会话数据仍然是我在第一个 php 页面上验证的数据?据我了解,会话数据存储在用户计算机上的 cookie 中。那么是什么阻止用户将损坏的数据注入到会话 cookie 中呢?
因为在我的场景中,我需要依赖这样一个事实:传递到第二页的数据已经经过验证。
因此,主要问题是如何将经过验证的数据安全地从一个页面传递到另一个页面?
预先非常感谢, 弗洛
Let's assume some validated data gets passed from one PHP page to another using session parameters.
How can I be sure on the second php page, this session data is still the data I validated on the first php page? From what I understand the session data is stored in cookies on the users computer. So what stops the users from injecting corrupted data into that sessions cookie?
Because in my scenario I need to rely on the fact, that the data passed to the second page is already validated.
So the main question is how do I pass validated data securely from one page to another ?
Many thanks in advance,
Flo
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
会话数据本身存储在服务器端。客户端计算机上存储的唯一内容是具有唯一标识符的 cookie,以便服务器知道要在服务器端加载哪个会话。
用户无法操纵会话本身中存储的数据,因此从这个意义上说,会话是安全的。
当然,cookie 本身可能会被一个用户窃取并被另一个用户使用(这种做法称为“会话劫持”)。您可以保护您的用户免受这种情况的影响,例如将会话锁定到他们的 IP 地址、浏览器版本等,并使用 HTTPS 来保护他们免受人们嗅探连接的影响。
The session data itself is stored server side. The only thing that is stored on the client's computer is a cookie with a unique identifier so the server knows which session to load at the server side.
Users cannot manipulate the data stored in the session itself, so in that sense, sessions are secure.
Then of course, the cookie itself could be stolen from a user and used by another user (a practice called 'session hijacking'). You can protect your users from this by for example locking a session to their IP-address, browser version, etc and using HTTPS to shield them from people sniffing connections.
cookie 不存储会话数据。将会话数据存储在服务器端 $_SESSION[] 上。例如
,现在在第二页检查此会话是否已设置。如果设置了,则验证用户。
这将是服务器端,因此您不需要一次又一次地验证。
谢谢
Do not store session data is cookies .Store the session data on server side $_SESSION[].For example
now on second page check if this session is set or not. If it is set then the user is validated
This will be server side so you need not to validate again and again.
Thanks
会话数据仅存储在服务器端,因此用户无法编辑会话中的任何内容,因此将保存假设第 1 页上验证的数据将与第 2 页上的数据相同的数据。
不要在 cookie 中存储任何敏感信息,因为这些存储在客户端&可以更改!
Session data is stored server side only, thus the user cannot edit anything in the session, so it will be save to assume the data validated on page 1 will be the same data on page 2.
Don't store any sensitive information in cookies as these are stored client side & can be altered!
事实并非如此。
会话数据存储在服务器上,并通过 cookie 与特定用户+浏览器关联。
通过编辑 cookie,用户只能:
请注意,还有一个会话 cookie,它是客户端上存储数据的位置。这是一个没有过期数据的常规 cookie,当浏览器关闭时就会过期。这种类型的 cookie 通常用于在客户端存储会话 ID。
It isn't.
Session data is stored on the server and associated with a particular user+browser via a cookie.
By editing the cookie the user can only:
Note that there is also a session cookie which is where data is stored on the client. This is a regular cookie with no expiry data which will be expired when the browser closes. This type of cookie is typically used to store the session id on the client.