问题
I need to build my own system for part of a computer security project without using php sessions (just cookies) and im just lost. All the tutorials ive found use sessions (for good reason) so I was wondering if anyone knew of a roll your own php user authentication tutorial.
回答1:
You could basically implement something session like yourself.
This would include the following tasks:
- generate a random session id for new users (or on login - based on the exact use...)
- save it into a cookie
- do save additional session inforamtion somewhere on the server together with the session id (e.g. in a database table)
- on subsequent page accesses check the session id in the cookie versus the data on the webserver to identify users and grant access
However it should be mentioned that a cookie only based solution is never that good. If a client for example doesn't have cookies enabled it won't work at all. A possible solution for this is to send the session id as GET parameter with every internal link if cookies are not enabled.
回答2:
Sessions would make it much easier. That being said, where are you getting stuck mate?
To get started using Cookies in PHP, check this out: http://www.w3schools.com/php/php_cookies.asp
You could either
- implement your own Session handling as s1lence suggests (which might be exactly what the professor wants you to do) or
- implement your own Session handling through appending the session id to the QueryString (making it work for non-cookie browsers) or
- you could store the user/password pair in cookies (which would force you to reauthenticate the user for every request)
I wouldn't recommend the latter, but if it's all about avoiding the Session Mechanism it's an option I guess. And a last remark, if this doesn't have something to do with understanding why Session is important you should really question your teachers task.. ;)
回答3:
You should not use cookie for such system in cause cookie are stored on the client side. And any one can change it. Sessions are stored on the server side and only you can change it (also other system users can change it if they have directory access or db access if you store sessions in db). If you strongly need to use cookie you can encrypt login/password can write to cookie, but the using of sessions is more safely.
来源:https://stackoverflow.com/questions/9254822/php-user-authentication-tutorial-without-sessions