doudou521125 2012-03-07 10:44
浏览 17
已采纳

自定义电子商务网站上的PHP会话安全性,我该怎么做?

Hi I have a website going live shortly that has a very simple system whereby customers can purchase a single item from the website. I am using PHP Sessions to store the customers product, personal and bank details as they move through the site.

However I am concerned that I do not have any PHP Session security/not enough or not done properly. I have read Chris Shiflett's page on security and tried implement his methods but I really haven't been able to grasp or understand what needs to be done and I think that what I currently have in place isn't even working.

My current code is very small and only appears at the start of any page with "session_start()" and here it is:

session_start();

if (!isset($_SESSION['initiated']))
{
    session_regenerate_id();
    $_SESSION['initiated'] = true;
}

To be honest I really have no idea what this is doing apart from regenerating the session id if $_SESSION['initiated'] is not true.

Could someone please suggest some session security methods that I can implement into my site and any other security measures you think might be required.

Thanks in advance.

Daniel.

  • 写回答

2条回答 默认 最新

  • douzongmu2543 2012-03-07 11:23
    关注

    Your code is wrong I don't see why you wrote this way.

    your logic on first request:

    if not exists create session_id
if user appears first time
  generate new session_id
  save initiated = true
show your page with initiated = true

    second request appears:

    show your page with initiated = true

    any visit initiated = true and same session_id. so initiated all the time will be same true if it is first, second, third.. visit

    so your code does only one thing: on the first visit generates two session_id and saves initiated = true this don't provide any security.

    you should create user system and then save items what user purchased or something similar

    UPDATE

    You can ask customer his email address and then send confirmation to email, save email and product id in database so one email one product.

    yes customer can create second email and try to buy one more but sessions also can be manipulated just remove session cookie or restart browser and you can go buy one more time..

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 fluent的在模拟压强时使用希望得到一些建议
  • ¥15 STM32驱动继电器
  • ¥15 Windows server update services
  • ¥15 关于#c语言#的问题:我现在在做一个墨水屏设计,2.9英寸的小屏怎么换4.2英寸大屏
  • ¥15 模糊pid与pid仿真结果几乎一样
  • ¥15 java的GUI的运用
  • ¥15 Web.config连不上数据库
  • ¥15 我想付费需要AKM公司DSP开发资料及相关开发。
  • ¥15 怎么配置广告联盟瀑布流
  • ¥15 Rstudio 保存代码闪退