发表新帖
发表新帖

PHP session var enough for user auth?

前端 未结
关注
5 965
心在旅途
心在旅途 2021-02-06 15:21

Scenario:

  • After a user has logged in, a session variable is set confirming their login.
  • At the top of every page, login session variable is confirmed vali
5条回答
  • 渐次进展
    渐次进展 (楼主)
    2021-02-06 15:55

    Don't try to write your own session scheme, PHP will do it better.

    yes you can add more information to your $_SESSION to help prevent session hijacking

    for example I generate a fingerprint by combining a secret phrase or random data with the user agent and the session_id() and hash it all. To hijack a session the user would need to figure out a valid session_id, and the hash of the fingerprint. it will look like this. This is a good read

    $_SESSION['fingerprint'] = md5('somethingSecret' . $_SERVER['HTTP_USER_AGENT']. session_id());

    then you would validate the session like

    $check_print = md5('somethingSecret' . $_SERVER['HTTP_USER_AGENT']. session_id());

if($check_print != $_SESSION['fingerprint'] || $_SESSION['authenticated']){ 
    //invalid session
}

    0 讨论(0)
 看不清?
提交回复
热议问题