简单的SESSION管理,我必须使用session_id,session_name吗?

时间:2013-12-17 02:58:36

标签: php session login session-variables

我写了一个简单的会话例程(尚未完全测试)看起来它正常工作。

  session_start();
  if (!isset($_SESSION["CREATED"])) 
    $_SESSION["CREATED"] = time();
  else if (time() > $_SESSION["CREATED"] + 10) {
    session_regenerate_id(true);
    $_SESSION["CREATED"] = time();
  };
  echo session_name() . "=" . session_id() . "<br>\n";
  print_r($_SESSION);
  echo "<br>\n";
// 6 possible cases: 
// 1, ["USER_ID"] present ...
  if (isset($_SESSION["USER_ID"])) {
// 1a, ... and ["LOGOUT"] present, logut required ...
    if (isset($_REQUEST["LOGOUT"])) {
      echo "user " . $_SESSION["USER_NAME"] . " logged out successfuly, good bye.\n";
      session_unset();
      session_destroy();
// 1b, ... and (["LAST_ACTIVITY"] not expired or ["NEVER_LOGOUT"] is true) ...
    } elseif ((isset($_SESSION["LAST_ACTIVITY"]) && (time() < $_SESSION["LAST_ACTIVITY"] + 5)) ||
       ((isset($_SESSION["NEVER_LOGOUT"]) && $_SESSION["NEVER_LOGOUT"]))) {
      echo "user " . $_SESSION["USER_NAME"] . " logged in, no further action needed\n";
      $_SESSION["LAST_ACTIVITY"] = time();
// 1c, ... and ["LAST_ACTIVITY"] expired and no ["NEVER_LOGOUT"] ...
    } else {
      echo "user " . $_SESSION["USER_NAME"] . " logged in, session expired, login required\n";
      session_unset();
      session_destroy();
    };  
// 2, ... no ["USER_ID"] and no (["LOGIN_EMAIL"] or ["LOGIN_PASSWORD"]) ...
  } elseif (!isset($_REQUEST["LOGIN_EMAIL"]) || !isset($_REQUEST["LOGIN_PASSWORD"])) {
      echo "missing user and no login details, login required\n";
      session_unset(); // do i need these here?
      session_destroy();
// 3, ... no ["USER_ID"] and ["LOGIN_EMAIL"] and ["LOGIN_PASSWORD"] are present ...
  } else {
      echo "missing user, authentication needed (database)...\n";
// 3a, ... authenticated successfuly, logged in, happiness.
      if ($this->db_login($_REQUEST["LOGIN_EMAIL"], $_REQUEST["LOGIN_PASSWORD"], $userID, $userName)) {
        echo "... user $userName logged in, successful authentication";
        $_SESSION["USER_ID"] = $userID;
        $_SESSION["USER_NAME"] = $userName;
        $_SESSION["LAST_ACTIVITY"] = time();
        $_SESSION["NEVER_LOGOUT"] = isset($_REQUEST["LOGIN_NEVER_LOGOUT"]) && $_REQUEST["LOGIN_NEVER_LOGOUT"];
// 3b, ... authentication failed, user not exists or wrong details provided, retry.
      } else {
        echo "... authentication failed, provide correct login details (or leave me alone)";
      };
  };

这是db_login():

private function db_login($loginEmail, $loginPassword, &$userID, &$userName) {
  // no real DB access yet, dummy code, only for test purpose ...
  if ($loginEmail != "johnsmith@gmail.com")
    return false;
  $userID = 5;
  $userName = "John Smith";
  return true;
}

客户端HTML:

<form action="main.php" method="POST" id="login">
  <pre>e-mail:<input type="text" size=40 name="LOGIN_EMAIL" value="johnsmith@gmail.com"></pre>
  <pre>password:<input type="password" size=30 name="LOGIN_PASSWORD" value="johnsmith"></pre>
  <pre>never log out<input type="checkbox" name="LOGIN_NEVER_LOGOUT" value="true" checked></pre>
  <input type="submit" value="Login">
</form>

我的问题是:
- 什么是session_id,session_name为什么? - 我应该以任何方式使用它们吗? - 他们有什么好处?
- 为了使代码更安全,我应该做得更好或不同吗? 如果我在上面的代码中做错了,请告诉我。虽然我已经阅读了几十篇文章,主题,但我并不完全理解会话的逻辑,所以很有可能出错。

更新:忘记提及所有“回声”仅用于测试目的。

0 个答案:

没有答案
相关问题
最新问题