http The protocol is stateless, and for each request, the server cannot distinguish between users. PHP session control gives the user a key (an encrypted session string), which is also a proof of the user's identity. The server stores the box (database, memory database or Made using files), the box contains the user's various variable information.
Where is this key?
1, url query string
2, browser cookie
<?php //page1.php 启动一个会话并注册一个变量session_start(); $_SESSION['user_var'] = "hello,codekissyoung!"; //这里的可以将$_SESSION理解为用户的箱子,实际的实现是php在服务器端生成的小文件 ?>
<?php //page2.php session_start(); echo $_SESSION['user_var']; //通过钥匙访问自己的箱子内的变量 $_SESSION['user_var'] = "bey,codekissyoung!";
<?php//page3.php 销毁钥匙,一般在用户注销时,访问page3.php文件session_start(); session_destroy();?>
One question, where is the key? Didn’t you see the operation of giving the user the key?
This operation is done for us behind PHP. Since you visit page1.php and the program runs, session_start();, PHP will generate it based on some conditions at the moment (user IP, browser number, time, etc.) A PHPSESSID variable. After the http response is returned to the client, this PHPSESSID is already stored in your browser cookie. Every time you visit this domain name again, the PHPSESSID will be sent to the server. This PHPSESSID is the user key I am talking about here.
One more question, the security of this PHPSESSID, is it easy to be stolen, is it easy to be forged, is it easy to be tampered with?
Using HTTPS can prevent tampering. Do not use PHPSESSID, but generate a secret key for the user to prevent forgery. As for whether it is easy to be stolen, there is really no research on it. For example, if your computer is connected to the Internet and hackers invade your computer.
设置cookiesetCookie('key','value',time()+3600); 删除cookiesetCookie('key','',time()-1);
Single sign-on: share a set of users between multiple subsystems Authentication system, logging in from one place gives access to all subsystems.
Imagine this scenario: Assume that the php environments of servers A and B are the same. The user got his key on server A, and then he took the key to access server B. Does he know server B?
Obviously not, the key generated by server A is not recognized by the server.
Solution: Regardless of whether the user accesses A or B, the generated key is stored in C (the same database, or cache system). When the user accesses A or B again, both A and B will ask C: This Is the user's key correct? If it is correct, the user can use the box stored in A or B.
<?php session_regenerate_id(); //重置 session 字符 $session_info=array('uid'=>$uid,'session'=>session_encrypt(session_id().time())); //下一步将,$session_info 存到 C 中
The above is the detailed content of Detailed introduction to the example code of php session control. For more information, please follow other related articles on the PHP Chinese website!