dongyo1818
2018-07-24 16:04
浏览 35
已采纳

PHP $ _SESSION,尝试访问用户表时不显示输出,当会话被终止时,会话保持活动状态

i'm trying to a build a secure sessionID. Usually i store the UserID as the $_SESSION['session'];, now im not too sure if it is really secure to have the userID as the sessionID. so what i have done is tested this theory although now i cannot access the users information and after i kill the session the sessions are still active and available?

CODE to check login if true or false:

if(password_verify($userPass, $user['userPasswd']))
{
    session_start();
    $UID = str_replace($user['text'].$user['text1'], '', $user['uniqID']);
    $_SESSION['SESSION'] = sha1(md5(sha1($UID)));
    return true;
} else {
    return false;
}

Logout Script: EDIT fixed using $_SESSION = array();

public function userLogout()
{
     session_destroy();
     unset($_SESSION['SESSION']);
     return true;
}

Script to access users table information (username, email etc):

$userID = $_SESSION['SESSION'];
$stmt = $userClass->runQuery("SELECT * FROM users WHERE uniqID=:userID");
$stmt->execute(array(":userID"=>$userID));
$user = $stmt->fetch(PDO::FETCH_ASSOC);

print_r($_SESSION['SESSION']); //Prints out session even if not logged in 
print $user['Username']; //Prints out nothing

i'm not sure if i missed a step or if hashing a session is even necessary, maybe i am doing something incorrectly. Essentially i am trying to secure the userID via a hash instead of having it displaying the users actual ID. Using the hash i would like to match and gain access to the users column.

ADDITIONAL NOTE: if i change the session to get the actual userID eg: 1

$userID = 1; //i did set the $_SESSION var to the userID to check if logout works
$stmt = $userClass->runQuery("SELECT * FROM users WHERE userID=:userID");
$stmt->execute(array(":userID"=>$userID));
$user = $stmt->fetch(PDO::FETCH_ASSOC);

print_r($_SESSION['SESSION']); //prints out 1 //still does not destroy session after userLogout() is initiated 
print $user['Username']; //Prints username which is correct 

been boggled by this for hours, maybe a different set of eyes and experience might help x_x.

图片转代码服务由CSDN问答提供 功能建议

我正在尝试构建一个安全的会话ID。 通常我将UserID存储为 $ _ SESSION ['session']; ,现在我不太确定将userID作为sessionID是否真的安全。 所以我所做的是对这个理论进行了测试,虽然现在我无法访问用户信息,但在我终止会话后,会话仍处于活动状态且可用吗?

CODE检查登录是否为true或false :

  if(password_verify($ userPass,$ user ['userPasswd']))
 {
} session_start(); 
 $ UID = str_replace($ user [  'text']。$ user ['text1'],'',$ user ['uniqID']); 
 $ _SESSION ['SESSION'] = sha1(md5(sha1($ UID))); 
返回 true; 
} else {
 return false; 
} 
   
 
 

注销脚本:使用$ _SESSION = array()修复编辑; \ n

  public function userLogout()
 {
 session_destroy(); 
 unset($ _ SESSION ['SESSION']); 
返回true; 
} 
    
 
 

访问用户表信息的脚本(用户名,电子邮件等):

  $ userID = $ _SESSION ['SESSION']; \  n $ stmt = $ userClass-> runQuery(“SELECT * FROM users WHERE uniqID =:userID”); 
 $ stmt-> execute(array(“:userID”=> $ userID)); 
 $  user = $ stmt-> fetch(PDO :: FETCH_ASSOC); \  Ñ
print_r($ _ SESSION [ 'SESSION']);  //即使未登录
print $ user ['Username'],也会打印出会话;  //什么都没打印
   
 
 

我不确定我是否错过了一个步骤,或者是否需要哈希会话,也许我做错了什么。 本质上,我试图通过哈希来保护userID,而不是让它显示用户的实际ID。 使用哈希我想匹配并获得对用户列的访问权限。

附加说明:如果我更改会话以获取实际用户ID,例如:1

  $ userID = 1;  //我确实将$ _SESSION var设置为userID以检查logout是否正常工作
 $ stmt = $ userClass-> runQuery(“SELECT * FROM users WHERE userID =:userID”); 
 $ stmt-> execute  (array(“:userID”=> $ userID)); 
 $ user = $ stmt-> fetch(PDO :: FETCH_ASSOC); 
 
print_r($ _ SESSION ['SESSION']);  //打印输出1 //在启动userLogout()后仍然不会销毁会话
print $ user ['Username'];  //打印正确的用户名
   
 
 

已经被这个看了几个小时,也许一组不同的眼睛和经验可能有助于x_x。 < / DIV>

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • doulouli8686 2018-07-24 16:52
    已采纳

    (this is a comment, but its a bit long)

    As ADyson says, this is very confused coding. Neither your code nor your narrative explain what you are trying to achieve here. What is the threat model? What is your definition of "secure"? $_SESSION['SESSION'] is not the session id.

    If you store a static map between the (effectively random, but not random enough) identifier stored in the session and the username, then all you've done is limit the performance and scalability of the system - I cannot see how it adds any value for security.

    There is a usage model where you might want a warrant-proof user database, where you would hash usernames - but this is not it.

    There are models for protecting the session data from other subscribers on a shared host (with poor partitioning). This is not that either.

    There are models for ensuring that session data is protected in backups....and, nope, this isn't very good for that either.

    sha1(md5(sha1($UID)));

    This is silly.

    Take some time to understand how the default session handler actually works before you start trying to improve it by throwing code at it (hint: there are things in there which are not suitable for every application, but if you want to improve them, use a custom handler - not wrapping the default handler in additional code). But before you write any code, you need to get your head around exactly what you are trying to achieve.

    已采纳该答案
    打赏 评论
  • dsc7188 2018-07-24 16:09

    You need to follow such way:

    session_start();
    
    // Unset all of the session variables.
    $_SESSION = array();
    
    // Finally, destroy the session.
    session_destroy();
    
    打赏 评论

相关推荐 更多相似问题