问题
I have a few questions here if anyone can help me out. First off, I am in the process of creating a login system for users of my application. I am using shared hosting (dreamhost), and I am wondering, after the user logs in and it is successful, how can i verify if the user is logged in on pages? I am assuming that i use session variables, but the user's name needs to be stored for certain purposes. Is it safe to store the user's name in a session variable, and is it secure to basically just store if the user is logged in, into a session variable: ex: $_SESSION['logged'] = 1; or whatever. Also, I have been reading that anyone can access my session data since I am on shared hosting, and so should that be changed? Or should i just use something other than session variables all together?
回答1:
The default session storage configuration will probably use a location shared between all the users on your shared hosting. To verify this, take a look at the output of phpinfo, in particular the session.save_path and session.save_handler. These settings are documented in the PHP session configuration documentation.
Your shared hosting may run your PHP processes as your user, as opposed to a system user. In that case, you can change session.save_path to a directory in your home directory that is owned by you, and has permissions that prevent other users from reading that directory (700, for example).
If your shared hosting runs as a system user, you basically can't get a secure way to store those files. You can then use a database-backed session storage option instead set with session_set_save_handler - although I'm not sure how you could prevent others from reading your configuration settings.
来源:https://stackoverflow.com/questions/4477311/how-to-securely-set-session-variables-for-logging-someone-in