Since the Session is stored on the server side in the form of a text file, there is no fear of the client modifying the Session content. In fact, in the Session file on the server side, PHP automatically modifies the permissions of the Session file, retaining only system read and write permissions, and cannot be modified through ftp, so it is much safer.
For Cookie, assuming we want to verify whether the user is logged in, we must save the username and password (possibly an md5 encrypted string) in the Cookie and verify it every time the page is requested. If the username and password are stored in the database, a database query must be executed every time, causing unnecessary burden on the database. Because we can't do just one verification. why? Because the information in the client cookie may be modified. If you store the $admin variable to indicate whether the user is logged in, when $admin is true, it means logged in, and when it is false, it means not logged in. After passing the verification for the first time, $admin equals true will be stored in the cookie, and there will be no need to verify next time. Yes, is this right? Wrong, if someone forges a $admin variable with a value of true, doesn’t that mean he or she will immediately gain administrative rights? Very unsafe.
The Session is different. The Session is stored on the server side. Remote users cannot modify the contents of the Session file. Therefore, we can simply store a $admin variable to determine whether to log in. After the first verification is passed, set the $admin value to true. Determine whether the value is true. If not, go to the login interface, which can reduce a lot of database operations. And it can reduce the insecurity of passing the password every time to verify the cookie (Session verification only needs to be passed once, if you do not use the SSL security protocol). Even if the password is md5 encrypted, it can be easily intercepted.
Of course there are many advantages to using Session, such as easy control, user-defined storage, etc. (stored in the database). I won’t say much more here.
Does Session need to be set in php.ini? Generally not needed, because not everyone has the permission to modify php.ini. The default storage path of Session is the system temporary folder of the server. We can customize it and store it in our own folder. I will introduce this later. .
Start introducing how to create a Session. Very simple, really.
Start Session and create a $admin variable:
// Start Session
session_start();
// Declare a variable named admin and assign a null value.
$_SESSION["admin"] = null;
?>
If you use Seesion, or the PHP file wants to call the Session variable, you must start it before calling the Session, using the session_start() function. You don’t need to set anything else. PHP automatically creates the Session file.
After executing this program, we can go to the system temporary folder to find the Session file. The general file name is in the form: sess_4c83638b3b0dbf65583181c2f89168ec, followed by a 32-bit encoded random string. Open it with an editor and take a look at its content:
admin|N; Generally, the content has the following structure:
Variable name|Type: length: value; And separate each variable with a semicolon. Some can be omitted, such as length and type.
Let’s take a look at the verification procedure, assuming that the database stores the username and md5 encrypted password:
login.php
// After the form is submitted...
$posts = $_POST;
// Clear Some whitespace
foreach ($posts as $key => $value) {
$posts[$key] = trim($value);
}
$password = md5($posts["password"]);
$username = $posts["username"];
$query = "SELECT `username` FROM `user` WHERE `password` = '$password' AND `username` = '$username'";
// Get query results
$userInfo = $DB->getRow($query);
if (!empty($userInfo)) {
// When the verification is passed, start the Session
session_start();
// Register the admin variable for successful login , and assign the value true
$_SESSION["admin"] = true;
} else {
die("wrong username and password");
}
?>
We start the Session on the page that requires user verification to determine whether to log in. :
// Prevent global variables from causing security risks
$admin = false;
// Start the session, this step is essential
session_start();
// Determine whether to log in
if (isset($_SESSION ["admin"]) && $_SESSION["admin"] === true) {
echo "You have successfully logged in";
} else {
// Verification failed, set $_SESSION["admin"] to false
$_SESSION["admin"] = false;
die("You do not have permission to access");
}
?>
Isn’t it very simple? Just think of $_SESSION as an array stored on the server side. Each variable we register is the key of the array, which is no different from using an array.
What should I do if I want to log out of the system? Just destroy the Session.
session_start();
// This method is to destroy a previously registered variable
unset($_SESSION['admin']);
// This method is to destroy the entire Session file
session_destroy ();
?>
Can Session set the life cycle like Cookie? With Session, does it mean to abandon Cookie completely? I would say that it is most convenient to use Session in combination with Cookie.
Current page 1/2 12Next page
The above is an introduction to learning PHP. It is recommended that friends who learn PHP session must read the 1/2 page of Getting Started with PHP Session, which includes the content of learning PHP. I hope it will be helpful to friends who are interested in PHP tutorials.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
