dongshu4221 2010-09-21 14:37
浏览 26
已采纳

用户登录和会话:安全与否

DB table: login_info

--------------------------------------
| login      |  passwd    |  company |
--------------------------------------
|company1    |  passmd5   | company1 |
--------------------------------------
|company2    |  passmd5   | company2 |
--------------------------------------
|company3    |  passmd5   | company3 |
--------------------------------------

once login matches, the login name and company name is saved in a session variable. 

$_SESSION['SESS_MEMBER_ID'] = $log['login']; //where $log is the mysql_fetch_assoc result array
$_SESSION['log_company_id'] = $log['company'];

Then using the stored company name in the session variable, the company details are loaded from a company specific db. I am not relying on cookies for storing this information. Is this method safe? Should I do something else? Any other security measures that I should know of?

  • 写回答

1条回答 默认 最新

  • douyo770657 2010-09-21 14:57
    关注

    instead of storing the loginid in a variable and just "assuming" that its the same person you might want to store the session as a record in a database. then have the id of this record in the session variable.

    That way you can store the user's IP address in the database and when you check the session you can check the ip address against the session in the database - this will eliminate session hijacking and will add more security.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 西门子S7-Graph,S7-300,梯形图
  • ¥50 用易语言http 访问不了网页
  • ¥50 safari浏览器fetch提交数据后数据丢失问题
  • ¥15 matlab不知道怎么改,求解答!!
  • ¥15 永磁直线电机的电流环pi调不出来
  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改