dongmei2956 2011-03-26 11:38
浏览 23

确保会话ID

I have built my first login system. The user enters a username and password and they are given a session id with their username and id.

This username and id is then used to customize the pages they see.

Every users username and id are basically public information, but the session id is only made by the system when they login.

QUESTION:

What are the security risks of using session id here where the contents are basically public but to get the session id you have to login?

Can someone fake the session id from the public id and username of someone else since that is all a session id contains here? is this easy to do?

Are their any common things to make it safer?

  • 写回答

2条回答 默认 最新

  • drn9573 2011-03-26 11:43
    关注

    Php's own session function is very good, the session's information isn't stored with the user but on the server, and the session id is kind of like a password.

    If you want to know about the security with sessions i highly recomend this video of a speaker at defcon 18.

    Basically the session is safe enough, but if you know enough about the server and user you could hack it, but it's a long and hard process to get through and most systems doesnt give you information enough to hack the session.

    评论

报告相同问题?

  • 加入会话ID mysql php
    2014-08-28 15:49
    回答 1 已采纳 What i did was just create a session, then join mysql tables and link the users that way. It was a
  • PHP会话变量请求时间 php
    2019-03-07 11:29
    回答 1 已采纳 Unless you do these session read/write operations millions of times (e.g. in a loop) you shouldn't
  • 无法通过CURL PHP保留会话ID php
    2013-10-05 06:37
    回答 1 已采纳 Don't use: curl_setopt($curl, CURLOPT_COOKIESESSION, true); PHPSESSID is a session cookie, and
  • php 会话变量会话id,PHP Session会话
    2021-03-26 11:16
    The Smurf的博客 在整个网站的各个页面上使数据都可访问的另一种方法是使用PHP会话会话将在服务器上的...在使用会话变量之前,确保已经设置了这个路径。当事件发生后开始会话 -PHP首先为该特定会话创建一个唯一标识符,该标识符...
  • 确保PHP会话安全 php
    2012-10-03 17:49
    回答 1 已采纳 A good approach would always be to at the login screen and immediately post login to force a new s
  • PHP会话不更新变量 php
    2018-08-17 09:28
    回答 2 已采纳 session_start() must be the second thing on your page after <?php. HTML tags must be placed aft
  • PHP LDAP会话持久性 php
    2019-02-04 15:31
    回答 1 已采纳 The problem is not about LDAP, the problem is about HTTP. HTTP is a stateless protocol whereas LD
  • 7天入门php-传送会话ID
    2016-10-04 11:33
    Liekkas_BX的博客 所以同一个用户在一个网站的不同页面间跳转时,应确保会话ID 是相同的。 因此,在用户请求浏览不同页面时,应该同时将其唯一标识该用户的会话ID 传过去,将该ID 设置为当前会话ID。对应有两种方式传送session ID。...
  • PHP会话干扰子域会话 php
    2017-11-21 17:01
    回答 1 已采纳 Since they share the same domain, they are the same site and share a session. You can manually ov
  • 如何从php会话中获取mysql user_id mysql php
    2019-03-30 11:00
    回答 3 已采纳 Or pass a parameter to a function then you will get the id inside the function function get_oglasi
  • PHP会话传播 php
    2017-03-13 10:01
    回答 1 已采纳 first you have to read what have been removed and edited in php (session.configuration) versions
  • php cookies id,关于安全性:PHP使用Cookies将当前会话ID存储在数据库中
    2021-04-04 04:20
    叫我钢铁侠的博客 会话ID会更改(无多次登录)会话ID实际上是唯一可以识别用户已登录的东西(由于cookie是特定于域的,因此我不确定这是否存在安全风险)但是,我想保留cookie附带的持久性登录名,同时又要确保内容安全。实际上,我想...
  • 会话变量间歇性PHP html php
    2018-01-19 20:45
    回答 1 已采纳 SOLVED: In my navigation bar I was using a full URL instead of a relative link, this was causing
  • php微信小程序会话保持,微信小程序保持session会话的方法
    2021-04-27 11:36
    程昱森的博客 一般我们web网站都会有cookie来保存session ID,将用户和服务器保持在一次会话中,但是很遗憾,微信小程序不支持cookie,他的每一次请求就是一次会话,这样就会产生一个问题,每次请求都需要确定当前的用户是谁,...
  • php 获取用户名,如何在php中获取会话ID或用户名?
    2021-03-25 10:34
    梁肖松的博客 我试过:当用户登录时,我将其会话设置为userlogin,但不会显示其用户名.This is the tutorial I used解决方法:所以设置它://Fetch the username from the database//The $login and $password I use here are ...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP