When a user logged in website, I only save user_id
in SESSION to check it later whether user logged in or not.
if(!empty($_SESSION['user_id'])){
....
Is this enough for se开发者_如何学编程curity?
This would depend entirely on how that variable makes it to the session and how well you're managing session.
One case to always consider when dealing with web-site security and user credentials is the possibility of a user logging on to your site in a public environment and then walking away. How long will he stay logged in? How accessible is the sensitive information when already logged in?
If you have a relatively short session timeout and are making sure that you are managing what makes it into $_SESSION['user_id'] then this is a reasonable approach. It may be better to actually check the VALUE of what is in $_SESSION['user_id'] but that won't be a huge improvement over what you currently have.
The main thing that I would recommend taking into account would be to require login credentials once more if a user ever wants to alter their account's details / access overly sensitive data (you wouldn't want a stranger changing your users' login names would you?). While this may be a bit of a hassle for regular users, it definitely adds a good measure of security to your application.
The value could only be changed if someone has access to the session files.
So usually yes.
But I would rather use isset()
:
function loggedIn()
{
if (isset($_SESSION['user_id']) && is_numeric($_SESSION['user_id']))
return true;
return false;
}
Because if the user id is 0, empty()
will also return true!
If you are in a shared hosting environment, somebody else on the same server could potentially create a valid session and gain access.
Or, someone could be sniffing network traffic as one of your users visits the site and could catch the cookie and gain access to their account since you just using simple session based authentication.
A common way to fix this problem is to create a database table, perhaps called "sessions", and record the session id, IP address, and any other user-specific data you want to gather when the user first logs in. You can then repeatedly check against this session table to help ensure that it is indeed the original user logged in and not somebody else.
It depends...
if you never do something like $_SESSION['user_id'] = $_GET['user_id'] you can usually say: it is save.
BUT there are things like session hijacking, cross site scripting, cross site request forgeries, and so on.
Use
if(!isset($_SESSION($user_id){
Because if the $user_id==0 then isempty() will not work and be sure that the session which is not required on another page must be unset after the page end for the better security. The method to unset a particular session variable is
unset($_session_variable_name);
and the session should be destroyed whenever it is required ie when a user logout.
Thanks
Not really, apart from the comments above you should further check properties like IP-address or USER_AGENT to avoid session-hijacking.
精彩评论