Session Usage in PHP development

In PHP development, compared with the cookie,session is stored on the server side of the session, relatively secure, and do not like cookies that have storage-length restrictions, this article briefly describes the use of sessions.

Because the session is stored as a text file on the server side, the client is not afraid to modify session content. In fact, the server-side session file, PHP automatically modify the session file permissions, only the system to read and write permissions, and can not be modified through FTP, so much more secure.

For cookies, suppose we want to verify that the user is logged in, you must save the username and password in the cookie (possibly a MD5 encrypted string) and verify each time the page is requested. If the username and password are stored in the database, each time a database query is executed, causing an extra burden to the database. Because we can't just do one validation. Why, then? Because the information in the client Cookie is likely to be modified. If you store $admin variable to indicate whether the user is logged in, the $admin is true to indicate that the login is not logged in, false, the first time after the verification will be $admin equal to true stored in the Cookie, the next time you do not have to verify, this right? Wrong, if someone faked a $admin variable with a value of true does that not immediately take the administrative authority? It's very unsafe.

And the session is different, the session is stored on the server side, the remote user can not modify the contents of the session file, so we could simply store a $admin variable to determine whether to log in, the first validation passed after the set $admin value is true, Later to determine if the value is true, if not, go to the login interface, this can reduce a lot of database operations. It also reduces the security of passing passwords every time you verify cookies (session validation only needs to be passed once, if you don't use SSL security protocol). Even if the password is MD5 encrypted, it is very easy to intercept.

Of course, there are many advantages to use the session, such as easy control, can be customized according to user storage, etc. (stored in the database). I don't have much to say here.

Does session need to be set in php.ini? Generally do not need, because not everyone has the right to modify the php.ini, the default session of the storage path is the server's system temporary folder, we can customize the store in their own folder, which I will introduce later.

Begins to describe how to create a session. It's very simple, really.

Start session sessions and create a $admin variable:

＜?PHP
// 启动 session
session_start();
// 声明一个名为 admin 的变量，并赋空值。
$_session["admin"] = null;
?＞

If you use Seesion, or if the PHP file calls the session variable, you must start it before calling the session and use the Session_Start () function. Other do not need you to set up, PHP automatically completes the session file creation.

After executing this program, we can go to the system temporary folder to find this session file, general file name like: Sess_4c83638b3b0dbf65583181c2f89168ec, followed by 32-bit encoded random string. Open it with the editor and look at its contents:

admin| N

This is generally the structure of this content:

Variable name | Type: Length: value;

Separate each variable with a semicolon. Some can be omitted, such as length and type.

Let's take a look at the validator, assuming that the database stores the username and MD5 encrypted password:

＜?PHP

// 表单提交后...
$posts = $_POST;
// 清除一些空白符号
foreach ($posts as $key =＞ $value)
{
$posts[$key] = trim($value);
}
$password = md5($posts["password"]);
$username = $posts["username"];

$query = "SELECT `username` FROM `user` WHERE `password` = '$password'";
// 取得查询结果
$userInfo = $DB-＞getRow($query);

if (!empty($userInfo))
{
if ($userInfo["username"] == $username)
{
// 当验证通过后，启动 session
session_start();
// 注册登陆成功的 admin 变量，并赋值 true
$_session["admin"] = true;
}
else
{
　die("用户名密码错误");
}
　}
else
{
die("用户名密码错误");
}