PHP会话不安全？需要另一种方法

So I've been told that this method is not secure, as people can fake sessions and use it's variables.
Here is a small part of my script:

<div class="panel-body text-center">
    <?php
        if(!isset($_SESSION['steamid'])) {
            steamlogin(); //login button
        }
        else
        {
            include ('steamauth/userInfo.php');
            include ('db.php');
            $mysqli = mysqli_query($db,"UPDATE `users_steam` SET name='".$steamprofile['personaname']."', avatar='".$steamprofile['avatarfull']."' lastseen='".time()."' WHERE steamid='".$_SESSION["steamid"]."'");

            echo "<img class='img-responsive center-block rounded' src='".$steamprofile['avatarmedium']."' title='' alt='' /></img><br>"; // Display their avatar!
            echo "<span>".$steamprofile['personaname']."</span>";
            logoutbutton();
        }
    ?>
</div>

If the user is not logged in, the login button is displayed. If opposite, then I display his avatar and name, and also update my database.
$_SESSION['steamid'] variable cointains user STEAM ID, which is retrieved when user logs in through steam. Is there any other way than $_SESSION variables to contain this ID and use it further in my website?
Thanks

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
duanlao6573 2016-02-21 15:57
关注
You can indeed steal sessions but you have to understand that to do that, you'd first have to steal the cookie containing the session ID from a client, which is pretty hard.

Anyways, some things to make it more secure are:

Use SSL, it encrypts everything including the session cookie, makes it impossible to steal trough traffic monitoring.

Use multiple criteria when verifying a session cookie, not just the ID. Check for ip address, browser, whatever you can think of

Set an aggressive expiration time on the cookie and immediately invalidate it if one of the criteria from above doesn't match.

Each time a user visits your page, create a new session and transfer the data from the old session before destroying it. Make sure to generate a different session ID as well and to store it in the cookie.

There's no such thing as absolute security when it comes to web development. You have to accept the fact that an infected or monitored user can be impersonated no matter what you do. The only really secure thing we have right now is SMS tokens, which might be an inconvenience on a smaller website. The most you can do it make it as hard as possible to do it.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

PHP会话不安全？需要另一种方法 php
2016-02-21 15:42

回答 2 已采纳 You can indeed steal sessions but you have to understand that to do that, you'd first have to ste
如何在PHP中使用数据会话？ php
2019-03-04 13:15

回答 1 已采纳 session_start() must be called before any output to the browser. Please update your code on all p
如何创建一个仅接受两个PHP会话的登录系统？ html php
2019-04-24 01:51

回答 1 已采纳 if you need only Leonx or INT. change your filter like this if($userx != "Leonx" AND $userx != "I
PHP会话技术(cookie与session)详解
2021-07-26 01:47

耶瞳的博客一：会话技术初步认识 ...会话技术就是通过HTTP协议想办法让服务器能够识别来自同一个浏览器的多次请求，从而方便浏览器(用户)在访问同一个网站的多次操作中，能够持续进行而不需要进行额外的身份验证。会
前往另一个页面时，PHP会话无法识别变量 mysql php
2018-04-20 04:19

回答 3 已采纳 you need to check session isset or not. Change <?php session_start(); $Username=$_GET['Userna
PHP会话不更新变量 php
2018-08-17 09:28

回答 2 已采纳 session_start() must be the second thing on your page after <?php. HTML tags must be placed aft
PHP会话不可写时抛出错误？ php
2017-04-18 20:55

回答 1 已采纳 You can check for the status of the session. if (session_status() !== PHP_SESSION_ACTIVE) { /
PHP页面之间传递参数的三种方法
2022-08-24 12:28

wuxiaopengnihao1的博客本文章向大家介绍php中页面与页面之间如何进行参数传递。php中如果要将参数从一个页面传递到另外一个页面，可以使用post或get或$_SESSION。具体实现方法可以阅读文章正文部分。
PHP如何从数据库更新会话？ php
2017-12-29 13:32

回答 1 已采纳 You should check the session variables actually exist before trying to work with them and when you
如何通过单击HTML按钮删除PHP会话？ php
2018-05-12 13:56

回答 1 已采纳 Hi One of ways to achive it is simple form and destroy session when the specified variable (a fla
如何从php会话中获取mysql user_id？ mysql php
2019-03-30 11:00

回答 3 已采纳 Or pass a parameter to a function then you will get the id inside the function function get_oglasi
php 漏洞_十大PHP安全漏洞
2020-08-11 21:49

culi4814的博客 php 漏洞Security is not a list of things you do. Security is a way of thinking, a way of looking at things, a way of dealing with the world that says “I don’t know how they’ll do it, but I know ...
Php会话变量返回另一个变量 php
2014-12-08 20:34

回答 1 已采纳 I bet the register_globals option is enabled on the server. You can check this with phpinfo(). Cr
php curlget方法_PHP cURL请求详解
2021-03-22 19:34

simmmmmmmcha的博客在PHP后端的开发过程中，除了获取数据库的数据和处理数据的内部逻辑，往往还需要请求其他服务器接口的数据，我们一般有3种方式来获取数据，分别是：file_get_contentsfsockopencurl3种常用的接口获取方式简述file_...
【CTF | 网络安全】攻防世界 Web_php_include【php伪协议|data伪协议|file伪协议】
2023-05-22 21:38

秋说的博客该题考察文件包含漏洞，涉及PHP伪协议data伪协议file伪协议及PHP内置函数等知识点，希望读者躬身实践。我是秋说，我们下次见。
没有解决我的问题, 去提问

悬赏问题

¥15 安卓adb backup备份应用数据失败
¥15 eclipse运行项目时遇到的问题
¥15 关于#c##的问题：最近需要用CAT工具Trados进行一些开发
¥15 南大pa1 小游戏没有界面，并且报了如下错误，尝试过换显卡驱动，但是好像不行
¥15 没有证书，nginx怎么反向代理到只能接受https的公网网站
¥50 成都蓉城足球俱乐部小程序抢票
¥15 yolov7训练自己的数据集
¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)（相关搜索：51单片机|单片机|测试代码）
¥15 电力市场出清matlab yalmip kkt 双层优化问题
¥30 ros小车路径规划实现不了，如何解决？(操作系统-ubuntu)

PHP会话不安全？ 需要另一种方法

2条回答 默认 最新

悬赏问题

PHP会话不安全？需要另一种方法

2条回答默认最新