Because the session is stored as a text file on the server side, the client is not afraid to modify session content. In fact, the server-side session file, PHP automatically modify the session file permissions, only the system to read and write permissions, and can not be modified through FTP, so much more secure.
For cookies, suppose we want to verify that the user is logged in, you must save the username and password in the cookie (possibly a MD5 encrypted string) and verify each time the page is requested. If the username and password are stored in the database, each time a database query is executed, causing an extra burden to the database. Because we can't just do one validation. Why, then? Because the information in the client Cookie is likely to be modified. If you store $admin variable to indicate whether the user is logged in, the $admin is true to indicate that the login is not logged in, false, the first time after the verification will be $admin equal to true stored in the Cookie, the next time you do not have to verify, this right? Wrong, if someone faked a $admin variable with a value of true does that not immediately take the administrative authority? It's very unsafe.
And the session is different, the session is stored on the server side, the remote user can not modify the contents of the session file, so we could simply store a $admin variable to determine whether to log in, the first validation passed after the set $admin value is true, Later to determine if the value is true, if not, go to the login interface, this can reduce a lot of database operations. It also reduces the security of passing passwords every time you verify cookies (session validation only needs to be passed once, if you don't use SSL security protocol). Even if the password is MD5 encrypted, it is very easy to intercept.
Of course, there are many advantages to use the session, such as easy control, can be customized according to user storage, etc. (stored in the database). I don't have much to say here.
Does session need to be set in php.ini? Generally do not need, because not everyone has the right to modify the php.ini, the default session of the storage path is the server's system temporary folder, we can customize the store in their own folder, which I will introduce later.
Begins to describe how to create a session. It's very simple, really.
Start session sessions and create a $admin variable:
<?php
Start session
Session_Start ();
Declares a variable named admin and assigns null values.
$_session["admin" = null;
?>
If you use Seesion, or if the PHP file calls the session variable, you must start it before calling the session and use the Session_Start () function. Other do not need you to set up, PHP automatically completes the session file creation.
After executing this program, we can go to the system temporary folder to find this session file, general file name like: Sess_4c83638b3b0dbf65583181c2f89168ec, followed by 32-bit encoded random string. Open it with the editor and look at its contents:
admin| N This is generally the structure of this content:
Variable name | Type: Length: value; Separate each variable with a semicolon. Some can be omitted, such as length and type.
Let's take a look at the validator, assuming that the database stores the username and MD5 encrypted password:
login.php
<?php
After form submission ...
$posts = $_post;
Clear some whitespace symbols
foreach ($posts as $key => $value) {
$posts [$key] = Trim ($value);
}
$password = MD5 ($posts ["Password"]);
$username = $posts ["username"];
$query = "Select ' username ' from ' user ' WHERE ' password ' = ' $password ' and ' username ' = ' $username '";
Get query Results
$userInfo = $DB->getrow ($query);
if (!empty ($userInfo)) {
When validation passes, start session
Session_Start ();
Register login successfully admin variable and assign a value of True
$_session["Admin"] = true;
} else {
Die ("Username password error");
}
?>
We start the session on a page that requires user authentication to determine whether to log in:
<?php
Prevent global variables from causing security risks
$admin = false;
Start a session, this step is essential
Session_Start ();
Judge whether to log in
if (Isset ($_session["admin")) && $_session["admin"] = = True) {
echo "You have successfully landed";
} else {
Validation failed, set $_session["admin" to False
$_session["admin"] = false;
Die ("You are not entitled to access");
}
?>
Is it simple? Consider the $_session as an array stored on the server side, and every variable we register is a key to the array, which is no different than using an array.
What if you want to log out of the system? The session can be destroyed.
<?php
Session_Start ();
This approach is to destroy a variable that was originally registered
unset ($_session[' admin '));
This method is to destroy the entire session file
Session_destroy ();
?>
Can the session set a life cycle like a Cookie? Do you completely discard cookies with the session? I would say that it is most convenient to use a session with cookies.
Current 1/2 page
12 Next read the full text
