Since the session is stored as a text file on the server side, the client is not afraid to modify the session content. In fact, the server side of the session file, PHP automatically modify the session file permissions, only the system read and write permissions, and can not be modified by FTP, so much more secure.
For a cookie, if we want to verify that the user is logged in, we must save the user name and password in the cookie (possibly the MD5 encrypted string) and verify it each time the page is requested. If the user name and password are stored in the database, a database query is executed once each time, which creates an unnecessary burden on the database. Because we can't just do one Test at a time. Why is it? Because the information in the client Cookie is likely to be modified. If you store $admin variable to indicate whether the user is logged in, $admin is true when the login, false indicates not logged in, after the first pass the verification will be $admin equal to true stored in the Cookie, next time will not be verified, so right? Wrong, if someone forged a $admin variable with a value of true that is not immediately taken to the administrative rights? It's not very safe.
And the session is different, the session is stored on the server side, the remote user can not modify the contents of the Session file, so we could simply store a $admin variable to determine whether to log in, the first validation passed after the setting $admin value is true, Later to determine whether the value is true, if not, into the landing interface, so that you can reduce a lot of database operations. It can also reduce the security of passing passwords every time a Cookie is validated (Session validation needs to be passed only once if you are not using the SSL security protocol). Even if the password is MD5 encrypted, it is easy to intercept.
Of course, the use of the Session has many advantages, such as easy to control, according to user-defined storage, etc. (stored in the database). I'm not going to say much here.
Does the Session need to be set in php.ini? Generally do not need, because not everyone has to modify the php.ini permissions, the default Session of the storage path is the server's system Temp folder, we can customize to store in their own folder, this later I will introduce.
Start by describing how to create a Session. It's very simple, really.
Start session sessions and create a $admin variable:
Start Session
Session_Start ();
Declare a variable named admin and assign a null value.
$_session["admin"] = null;
?>
If you use Seesion, or if the PHP file is to invoke the session variable, you must start it before calling the session and use the Session_Start () function. Others do not need you to set up, PHP automatically complete the Session file creation.
After the implementation of this program, we can go to the system Temp folder to find the Session file, the general file name such as: Sess_4c83638b3b0dbf65583181c2f89168ec, followed by a 32-bit encoded random string. Open it with an editor and look at its contents:
admin| N Generally this is the structure of this content:
Variable name | Type: Length: value; Separate each variable with a semicolon. Some can be omitted, such as length and type.
Let's take a look at the validator, assuming that the database stores the user name and MD5 encrypted password:
login.php
After the form is submitted ...
$posts = $_post;
Clear some blank symbols
foreach ($posts as $key = = $value) {
$posts [$key] = Trim ($value);
}
$password = MD5 ($posts ["Password"]);
$username = $posts ["username"];
$query = "Select ' username ' from ' user ' WHERE ' password ' = ' $password ' and ' username ' = ' $username '";
Get query Results
$userInfo = $DB->getrow ($query);
if (!empty ($userInfo)) {
When the validation passes, start the Session
Session_Start ();
Register the login successful admin variable and assign the value true
$_session["Admin"] = true;
} else {
Die ("User name password error");
}
?>
We start the Session on a page that requires user authentication to determine whether to log in:
Prevent global variables from causing security risks
$admin = false;
Start the session, this step is essential
Session_Start ();
Determine whether to log in
if (Isset ($_session["admin"]) && $_session["admin"] = = = True) {
echo "You have successfully landed";
} else {
Validation failed with $_session["admin" set to False
$_session["admin"] = false;
Die ("You are not authorized to access");
}
?>
Isn't it simple? Consider $_session as an array stored on the server side, and every variable we register is the key to the array, not the same as using the array.
What if I want to log out of the system? The Session can be destroyed.
Session_Start ();
This method destroys a variable that was originally registered
unset ($_session[' admin ');
This method is to destroy the entire Session file
Session_destroy ();
?>
Can the Session set the life cycle like a Cookie? Does the Session abandon the Cookie altogether? I would say that it is most convenient to use a Session with a Cookie.
Current 1/2 Page 12 next page
The above is introduced to learn PHP recommended to learn PHP Sesson friends must see PHP session using the 1th page 2, including the Learning of PHP content, I hope to be interested in PHP tutorial friends helpful.