会话ID为md5（time（））

I have the code:

if ($usernamelogin == $dbusername && $passwordlogin == $dbpassword)
{
    $hash = md5(time());
    mysqli_query($connection, "UPDATE users SET sessionid='$hash' WHERE username='$usernamelogin' AND password='$passwordlogin'");
    $_SESSION['id'] = $hash;
    $_SESSION['un'] = $usernamelogin;
}
else 
{
    echo ('Wrong username or password.');
}

I'm then using $sessionid, the SQL sessionid, and the usernames to verify if a user is real. This means that, assuming I have protection against an SQL injection, there are relatively few security risks, right?

I came here to ask, because this seems like an overly simple solution to a complex problem. All of the documents and websites I've been to have implemented much more complex, confusing, and sometimes insecure methods of verifying if a user is logged in.

Is this secure?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
duancoubeng5909 2013-08-25 12:50
关注
You shouldn't use md5(time()) to generate a session id, this is not secure. The time is liner and can be guessable, for example some websites show when the user has loged-in, you could use this information and brute-force to hijack his session id.

Second thing, you can also brute-frose on random time and there is a great chance you will get some random user session id. Also, there is a good chance that two users will have the same second thing is two users will have the same session id if they login at the same time.

Have a look at this great talk (DEFCON 18: How I Met Your Girlfriend 1/3), I watch it a long time a go, I can't remember the details, but I remember the speaker made series point about session weaknesses. Also, see OWASP wiki, it has great resources on web security and sessions security.

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

会话ID为md5（time（）） php sql
2013-08-25 12:14

回答 2 已采纳 You shouldn't use md5(time()) to generate a session id, this is not secure. The time is liner and
php保持用户在更改页面后使用会话登录 php
2018-08-14 15:01

回答 3 已采纳 @waterloomatt & @Isaac thanks for your time and responses! After so many hours, finally i found th
在php中手动超时后会话初始化 php
2012-08-19 19:06

回答 2 已采纳 I'm not sure (and can't test it now), but if(!isset($_SESSION)) session_start(); seems to n
php会话超时,PHP会话超时
2021-03-24 09:32

weixin_39791225的博客 PHP会话超时我在用户登录时创建会话，如下所示：$_SESSION['id'] = $id;如何在X分钟的会话上指定超时，然后在达到X分钟后让它执行功能或页面重定向？编辑：我忘了提及由于不活动，我需要会话超时。8个解决方案85 ...
使用登录脚本进行会话时出错 php
2018-08-16 17:15

回答 1 已采纳 The code below works but for some reason, I am not able to echo the session variable name. Is it p
会话文件以不同的名称存储 php
2019-02-19 02:57

回答 1 已采纳 One of my friends pointed out this which fixed my problem with random session_id.
php是用户会话/ cookie有效重定向错误 php
2013-04-03 22:13

回答 1 已采纳 it took two 13hr days and some help but after the 3rd rewrite things seems to be working with only
php 会话变量会话id,PHP会话变量没有转移到我登录的页面,但是会话ID是
2021-03-26 11:16

聂家麒的博客我使用的是PHP 4.3.9,Apache / 2.0.52我正在尝试让...我正在使用以下代码在我的登录表单页面和重定向页面上打印会话ID /值：echo 'session id: ' . session_id() . '';echo 'session first name: ' . $_SESSION['fi...
login.php没有启动会话或设置数组 php
2013-04-04 03:20

回答 1 已采纳 keep in mind that you should start session at the very top of thd page,ie before anything start.el
代码点火器会话管理 - 登录页面刷新而不是填充会话 php
2018-11-27 23:24

回答 1 已采纳 I think the save path is not what you want. BASEPATH points to the system directory. This will poi
会话user_name无法启动或工作[关闭] php
2015-12-04 14:10

回答 2 已采纳 1.) session_start() should be first line of your code in php, in any case session_start() must com
php会话超时,php登录超时session怎么办
2021-03-24 09:33

扣酱的星星眼的博客 php登录超时session的解决办法：首先登录时候用session记录登录时间；然后页面打开时候判断session如果不存在，就跳回登录页面；接着如果session存在，则将页面加载时间和登录时间对比；最后如果大于超时时间，则...
每个特定的browsertab使用会话cookie ajax php
2013-12-18 08:55

回答 1 已采纳 You can't do it. The best way to do it, is with Ajax, so, you will pass an "ID" to each tab (or pa
php 会话时长,PHP 会话 (session 时间设定) 使用入门
2021-04-16 01:26

巧笑倩兮Evelina的博客对比起 Cookie，Session 是存储在服务器端的会话，相对安全，并且不像 Cookie 那样有存储长度限制，本文简单介绍 Session 的使用。由于 Session 是以文本文件形式存储在服务器端的，所以不怕客户端修改 Session 内容...
php会话控制是什么意思,PHP中的会话控制
2021-04-28 01:40

knightshady的博客无连接：每次连接仅处理一个客户端的请求，得到服务器响应后，连接就结束了无状态：每个请求都是独立的，服务器无法识别和区分它们的身份这就造成了一个问题，在不同网页之间如何传递信息，会话控制的思想就是为了...
没有解决我的问题, 去提问

悬赏问题

¥15 目详情-五一模拟赛详情页
¥15 有了解d3和topogram.js库的吗？有偿请教
¥100 任意维数的K均值聚类
¥15 stamps做sbas-insar，时序沉降图怎么画
¥15 买了个传感器，根据商家发的代码和步骤使用但是代码报错了不会改，有没有人可以看看
¥15 关于#Java#的问题，如何解决？
¥15 加热介质是液体，换热器壳侧导热系数和总的导热系数怎么算
¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
¥15 cmd cl 0x000007b
¥20 BAPI_PR_CHANGE how to add account assignment information for service line

会话ID为md5（time（））

2条回答 默认 最新

悬赏问题

2条回答默认最新