我目前正在尝试找到最好的 - 安全方法,将我生成的会话链接到我的数据库中的用户。在用户使用有效凭据登录时,他们将使用
生成会话function sessionStart(){
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
ini_set('session.entropy_file', '/dev/urandom'); // better session id's, more random than PHP's default.
ini_set('session.entropy_length', '512'); // How many bytes which will be read from the above file. 512 = overkill?
ini_set('session.hash_function','sha512');
ini_set('session.hash_bits_per_character','6');
$session_name = 'sec_login'; // Sets a custom session name.
$secure = false; // Set to true if HTTPS is being used.
$httponly = true; // Stops Javascript from being able to read the cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_start();
session_regenerate_id(); // regenerated the session, delete the old one.
}
理论上,这会生成唯一的安全ID,可用于识别用户。我唯一的问题是如何将生成的会话链接到用户?
我假设最好的方法是创建一个包含两列(userId和SessionId)的数据库表,在创建会话时填充相应的userIds和sessionIds,并在用户重新加载不同页面或删除时更新当用户注销时