Since the session is stored as a text file on the server side, the client is not afraid to modify the session content. In fact, the server side of the session file, PHP automatically modify the session file permissions, only the system read and write permissions, and can not be modified by FTP, so much more secure. Phpchina Open Source Community Portal
For a cookie, if we want to verify that the user is logged in, we must save the user name and password in the cookie (possibly the MD5 encrypted string) and verify it each time the page is requested. If the user name and password are stored in the database, a database query is executed once each time, which creates an unnecessary burden on the database. Because we can't just do one Test at a time. Why? Because the information in the client Cookie is likely to be modified. If you store $admin variable to indicate whether the user is logged in, $admin is true when the login, false indicates not logged in, after the first pass the verification will be $admin equal to true stored in the Cookie, next time will not be verified, so right? wrong, if someone Forge a $admin variable with a value of true that's not the immediate administrative privilege? It's very unsafe.
And the session is different, the session is stored on the server side, the remote user can not modify the contents of the Session file, so we could simply store a $admin variable to determine whether to log in, the first validation passed after the setting $admin value is true, Later to determine whether the value is true, if not, into the landing interface, so that you can reduce a lot of database operations. It can also reduce the security of passing passwords every time a Cookie is validated (session validation needs to be passed only once if you are not using the SSL security protocol). Even if the password is MD5 encrypted, it is easy to intercept.
Of course, the use of the session has many advantages, such as easy to control, according to user-defined storage, etc. (stored in the database). I'm not going to say much here.
Does the session need to be set in php.ini? Generally do not need, because not everyone has the right to modify PHP.ini, the default session of the storage path is the server's system Temp folder, we can customize to store in their own folder, this later I will introduce.
Start by describing how to create a session. It's very simple, really.
Start session sessions and create a $admin variable:
Copy CodeThe code is as follows:
Start session
Session_Start ();
Declare a variable named admin and assign a null value.
$_session["admin"] = null;
?>
If you use Seesion, or if the PHP file is to invoke the session variable, you must start it before calling the session and use the Session_Start () function. Others do not need you to set up, PHP automatically complete the session file creation.
After the implementation of this program, we can go to the system Temp folder to find the session file, the general file name such as: Sess_4c83638b3b0dbf65583181c2f89168ec, followed by a 32-bit encoded random string. Open it with an editor and look at its contents:
admin| N
Generally this is the structure of this content:
Variable name | Type: Length: value;
Separate each variable with a semicolon. Some can be omitted, such as length and type.
Let's take a look at the validator, assuming that the database stores the user name and MD5 encrypted password:
Copy CodeThe code is as follows:
After the form is submitted ...
$posts = $_post;
Clear some blank symbols
foreach ($posts as $key = $value)
{
$posts [$key] = Trim ($value);
}
$password = MD5 ($posts ["Password"]);
$username = $posts ["username"];
$query = "Select ' username ' from ' user ' Where ' password ' = ' $password '";
Get query Results
$userInfo = $DB->getrow ($query);
if (!empty ($userInfo))
{
if ($userInfo ["username"] = = $username)
{
When the validation passes, start the session
Session_Start ();
Register the login successful admin variable and assign the value true
$_session["Admin"] = true;
}
Else
{
Die ("User name password error");
}
}
Else
{
Die ("User name password error");
}
We start the session on a page that requires user authentication to determine whether to log in:
Prevent global variables from causing security risks
$admin = false;
Start the session, this step is essential
Session_Start ();
Determine whether to log in
if (Isset ($_session["admin"]) && $_session["admin"] = = = True)
{
echo "You have successfully landed";
}
Else
{
Validation failed with $_session["admin" set to False
$_session["admin"] = false;
Die ("You are not authorized to access");
}
?>
Is it very simple? Consider $_session as an array stored on the server side, and every variable we register is the key to the array, not the same as using the array.
What if you want to log out of the system? The session can be destroyed.
Copy CodeThe code is as follows:
Session_Start ();
This method destroys a variable that was originally registered
unset ($_session["admin"]);
This method is to destroy the entire session file
Session_destroy ();
?>
Can session set the life cycle like a cookie? Does the session completely discard cookies? I would say that it is most convenient to use a session with a cookie.
How does the session determine the client user? It is determined by the session ID, what is the session ID, is the file name of the session file, session ID is randomly generated, so can ensure uniqueness and randomness, to ensure that the Session of the security All. In general, if the lifetime of the session is not set, the session ID is stored in memory, the ID is automatically logged off after the browser is closed, and a session ID is re-registered after the page is re-requested.
If the client does not disable cookies, the cookie plays the role of storing the session ID and session lifetime when the session is started.
Let's set the lifetime of the session manually:
Copy CodeThe code is as follows:
Session_Start ();
Save the day
$lifeTime = 24 * 3600;
Setcookie (Session_name (), session_id (), time () + $lifeTime, "/");
?>
In fact, the Session also provides a function session_set_cookie_params (); To set the lifetime of the Session, the function must be called before the session_start () function call:
Copy CodeThe code is as follows:
Save the day
$lifeTime = 24 * 3600;
Session_set_cookie_params ($lifeTime);
Session_Start ();
$_session["Admin"] = true;
?>
If the client uses IE 6.0, Session_set_cookie_params (); There are some problems with the function setting cookie, so let's call the Setcookie function manually to create a cookie.
What if the client disables cookies? There is no way, all the life cycle is the browser process, as long as the browser is closed, request the page again to re-register the Session. So how to pass the session ID? by URL or by hiding the form to pass, PHP will automatically send the session ID to the URL, url shape such as: http://www.openphp.cn/index.php? phpsessid=bba5b2a240a77e5b44cfa01d49cf9669, where the parameter Phpsessid in the URL is the session ID, we can use $_get to get the value, so that the session ID between the page pass.
Copy CodeThe code is as follows:
Save the day
$lifeTime = 24 * 3600;
Gets the current session name, which defaults to PHPSESSID
$sessionName = Session_name ();
Get Session ID
$sessionID = $_get[$sessionName];
Session ID obtained using the session_id () setting
session_id ($sessionID);
Session_set_cookie_params ($lifeTime);
Session_Start ();
$_session["Admin"] = true;
?>
For the virtual host, if all the user's Session is saved in the System temporary folder, will make maintenance difficult, and reduce security, we can manually set the Session file save path, Session_save_path () provides such a function. We can point the Session directory to a folder that cannot be accessed by the Web, and of course the folder must have read/write properties.
Copy CodeThe code is as follows:
Set up a storage directory
$savePath = "./session_save_dir/";
Save the day
$lifeTime = 24 * 3600;
Session_save_path ($savePath);
Session_set_cookie_params ($lifeTime);
Session_Start ();
$_session["Admin"] = true;
?>
With Session_set_cookie_params (); function, the Session_save_path () function must also be called before the session_start () function call.
We can also store arrays, objects in the session. There is no difference between manipulating an array and manipulating a general variable, and if you save the object, PHP automatically serializes the object (also called serialization) and then saves it in the session. This is illustrated in the following example:
Copy CodeThe code is as follows:
Class Person
{
var $age;
function output () {
Echo $this->age;
}
function Setage ($age) {
$this->age = $age;
}
}
?>
Setage. Php
Copy CodeThe code is as follows:
Session_Start ();
Require_once "person. PHP ";
$person = new Person ();
$person->setage (21);
$_session[' person '] = $person;
echo "Check here for output age";
?>
Output. Php
Copy CodeThe code is as follows:
Set the callback function to ensure that the object is rebuilt.
Ini_set (' Unserialize_callback_func ', ' mycallback ');
function Mycallback ($classname) {
$classname. “. PHP ";
}
Session_Start ();
$person = $_session["Person"];
Output 21
$person->output ();
?>
When we execute the setage.php file, we call the Setage () method, set the age to 21, and save the State in the session (PHP will automatically complete the conversion), when the switch to output.php, to output this value, You have to deserialize the object you just saved, and because you need to instantiate an undefined class when the solution is serialized, we define a later callback function that automatically contains the person. PHP is a class file, so the object is refactored and gets the current age value of 21, and then calls the output () method to export the value.
http://www.bkjia.com/PHPjc/317949.html www.bkjia.com true http://www.bkjia.com/PHPjc/317949.html techarticle since the session is stored as a text file on the server side, the client is not afraid to modify the session content. In fact, the server side of the session file, PHP automatically modify the session ...
