开发者

How can I check whether a session is valid per page?

开发者 https://www.devze.com 2023-03-29 19:24 出处:网络
So, if a login/registration system is created, so that when the user logs 开发者_如何学Pythonin, the user is redirected to another members-only page (member.php), I would store the login information i

So, if a login/registration system is created, so that when the user logs 开发者_如何学Pythonin, the user is redirected to another members-only page (member.php), I would store the login information in the user's session.

When the user navigates to the members page, prior to allowing him to see content, I'd want to make sure that the username/password is valid, and the user is validly logged in. How might I ensure that the user is validly logged in when he/she gets to the member's page, to me it seems like using:

if (!isset($_SESSION['username']))
{
    die("You aren't allowed to access this page");
}

would work, however I want to ensure it's secure, and to me, it just doesn't seem secure enough (because if there was some way of spoofing a session, all they'd have to do would be to include any sort of text as the username).

I don't really know, so how would I check whether the user should have access to the page?


Session variables are stored on your server, not on the users computer like a cookie. So the user can't ever modify $_SESSION['username']. The only thing you have to really be wary of with sessions is session hijacking (where a user gets the session id of another logged in user, and uses it to pose as that user)


A user may spoof a session ID cookie if they know a valid value, but not the session data itself, which is stored on the server.

Thus, they may not just "send you" session data with a certain username.

If they have access to the browser of someone who is logged in, they may be able to steal their SESSID (which is stored on the client), but per-IP sessions can mitigate that somewhat.


Put an encrypted password cookie/session var with a salt perhaps, to be checked against the db every now and then.

0

精彩评论

暂无评论...
验证码 换一张
取 消