サイトへのアクセスを制御するために、常に $_SESSION 配列にいくつかの変数を設定していますが、これが安全な解決策であるか、それよりも優れた方法があるかどうかを知りたいです。
($_SESSION['admin'] == 1) ? take_control_of_my_site : get_back;
3 に答える
4
セッション データはサーバー側で維持されます。データが信頼できる限り、
- あなたのサーバーは安全です
- セッションに配置するデータを慎重に検証します。
于 2013-05-24T17:19:11.650 に答える
1
Sessions are not inherently unsafe. There are risks, but they can be mitigated.
It is good to be aware of the risks, so that you can learn how to avoid them, but the one thing you shouldn't do is avoid using sessions altogether because of them. Sessions are a well-established tool, and used properly they are perfectly safe and secure.
In fact, it's pretty hard to write a useful web site that doesn't use some kind of session. If you don't use the built-in one, then you'll end up writing your own -- and in most cases, that really is a security risk. (I know of programmers who have become obsessed with the security risks of sessions, and ended up implementing far less secure solutions simply because they didn't want to use sessions).
It's worth pointing out that recent versions of PHP have made huge strides forward in terms of security. There were a number of features in old PHP versions that were genuinely bad for security; recent versions of PHP have made big efforts to deprecate and remove these bad features. You will note that sessions are not in that list. They haven't needed any significant security work. This should tell you all you need to know.
Sessions are stored by default on the server in plain text. This shouldn't be a problem, unless your server can be accessed by unwanted users. If this is the case, then your security is probably already shot, so it's not really an issue, but in the rare occasion that you might be worried about that, it is possible to get PHP to provide session encryption via the session_set_save_handler() function.
于 2013-05-24T19:00:19.130 に答える