PHP session is the session ID (represented as a cookie) based on the visitor's browser.
To find the session file (/TMP/SESS_ID) of the server to read the contents (session variables) through the $_session array.
The use of PHP session can be very convenient to implement shopping cart, verification code, Csrf_token Records.
A session variable can be used to store an associative array of serialize serialized strings.
two ways to compare
:
Array of $_session,/tmp/sess_xxx, PHPSESSID, cookies
Cookies (MYID), querying database for authentication, online table (session field)
Password Inbound processing:
$salt = SHA1 (Uniqid (Mt_rand (), true));
$pwd _db = SHA1 ($salt. SHA1 ($pwd _user));
The randomly generated salt value $salt and the salt hash password $pwd_db are stored in the user table corresponding to the user record.
When the password is validated, the password entered by the user is calculated according to the formula, followed by a string alignment (= = or = = or strcmp).
This way, even if the $pwd_db in the database is compromised, it is difficult for an attacker to find the plaintext of the password through a rainbow table.
which
Uniqid gets a unique ID with a prefix based on the current time microseconds.
Mt_rand generates a better random number.
the password stored in the cookie:
$pwd _cookie = SHA1 ($global _salt.sha1 ($pwd _db);
When validating a cookie, the user's password is queried based on the user ID in the cookie, which is calculated after two strings.
Where $global_salt is the system global salt defined in config.php, once modified, all cookies will expire.
To generate a cookie:
The cookie is designed to implement authentication, to prevent the cookie from being forged and the user's password plaintext being cracked.
Setcookie ($cookie _name, $value);
$value = Base64_encode ($user _id. ' | '. $pwd _cookie);
Parsing cookies:
Parse the cookie sent by the browser to obtain the user ID, password and other information, after authentication can read and write the online table session variables.
Base64_decode, explode, password verification
Find records in the online table based on the user ID, and if not, add a new one, or you can read the above data.
For the shopping cart, even if the user is logged on from different browsers, the system can still query the content that the user added to the shopping cart.
PHP session is not possible, because each login will generate a different session file (/TMP/SESS_XX1,/TMP/SESS_XX2).
To store Session variables:
Build a memory table online in MySQL, mark a cookie with a record, and create a field store session variable.
For example, to implement a shopping cart, create a shopping cart field that stores an array of items that have been serialized by Serialize.
You can even build a field session to store all the session variables,
To use this field as a session file in the sessions, the Unserialize array from this field is equivalent to $_session.
reduce each cookie authentication to inquire
Database
Loss of:
To avoid querying the database validation cookie every time, consider setting a session variable to record the login status.
Or consider depositing $user_id and $pwd_db into Redis, validating the cookie directly from Redis based on the $user_id hash to find $pwd_db, calculated after the pair.
$sess _1 = Array (' pwd_db ' = + $pwd _db, ' name ' = ' Joe ', ' role ' = ' student ');
$redis->hset (' Sessions ', ' user_1 ', Json_encode ($sess _1));
Print_r (Json_decode ($redis->hget (' Sessions ', ' user_1 '), true));
With memcached is also possible, Sess_uid is set to Key,json encoded string as value, $pwd _db is a member of the JSON string.
Here, Discuz! uses cookie encryption to query the MySQL database for authentication.
Contrast:
Redis/memcached:key (User ID) value (user password + Session variable array)
MySQL: Primary key (User ID) field (array of Session variables)
PostScript:
Password hash correlation function: Password_hash (recommended) crypt (Blowfish) hash SHA1 MD5
PHP is not recommended to use SHA1 to "encrypt" the password (hash), but it is recommended to use PHP native implementation of the password hash function Password_hash.
Password_hash was introduced from 5.5, but there is a compatible library implemented in PHP that is implemented using crypt when the PHP version does not support Password_hash.
Please see the official article "PHP Password hashing security》。
PHP implements a set of session mechanisms with cookies
