Overview
The HTTP protocol is stateless, and for each request, the server cannot differentiate the user. PHP session control is to give the user a key (a cryptographic session string), and this is also a proof of user identity, the server store the key can open the box (database, memory database or use files), the box contains the user's various variables information.
Where does this key leave?
In the 1,url query string
2, in the browser cookie
The traditional PHP session uses
<?php//page1.php initiates a session and registers a variable session_start (); $_session[' user_var '] = "hello,codekissyoung!"; /Here the $_session can be understood as the user's box, the actual implementation is PHP on the server-side generated small files?>
<?php//page2.phpsession_start (); Echo $_session[' User_var '];//through the key to access the variable inside his box $_session[' user_var '] = "Bey, Codekissyoung! ";
<?php//page3.php destroy the key, generally when the user logs off, access to page3.php file Session_Start (); Session_destroy (); >
Ask a question, where is the key? Did not see the user key operation Ah?
This operation is PHP behind to help us do, since you visit the page1.php program run, session_start (); This sentence, PHP will be based on some of the conditions (User IP, browser number, time, etc.) to generate a PHPSESSID variable, http Response back to the client, the PHPSESSID already exists in your browser cookie, each time you visit the domain name, the PHPSESSID will be sent to the server. This phpsessid is the user key I'm talking about here.
Another question, the security of this PHPSESSID, is it easy to steal, is it easy to forge, is it easy to tamper with?
Use Https to prevent tampering. Instead of using PHPSESSID, you generate a secret key to the user to prevent forgery. As to whether it is easy to be stolen, it is really not how much research. For example, if your computer is attached to a network, hackers invade your computer.
Store the generated keys in a browser cookie
Set Cookiesetcookie (' key ', ' value ', Time () +3600), delete cookiesetcookie (' key ', ' ', Time ()-1);
Implement single Sign-On: Session sharing
Single Sign-on: A user authentication system is shared between multiple subsystems, and in one place you can access all subsystems.
Imagine a scenario where Server A is consistent with the PHP environment of B. The user gets his key on server A, and then he takes the key to access Server B, does server B know?
Obviously not, server A generates the key that the server does not recognize.
WORKAROUND: If the user accesses a or B, the generated keys are stored in C (same database, or cache system), when the user accesses a or B again, both A and B ask C: The user's key, right? Yes, users can use their own boxes where a or B is present.
<?phpsession_regenerate_id ();//reset session character $session_info=array (' uid ' = = $uid, ' Session ' =>session_encrypt (session_id ()));//The next step is to save the $session _info to C