Since Session is stored on the server in the form of a text file, we are not afraid of the client modifying the Session content. In fact, PHP automatically modifys the permissions of the Session file on the server side, only retains the system's read and write permissions, and cannot be modified through ftp, so it is much safer.
For cookies, if we want to verify whether the user is logged in, we must save the user name and password (probably a md5 encrypted string) in the cookies and verify each time the page is requested. If the user name and password are stored in the database, a database query must be executed every time, which will cause unnecessary burden on the database. Because we can't just do verification. Why? Because the information in the client cookie may be modified. If you store the $admin variable to indicate whether the user is logged in, if $admin is true, it means login, if it is false, it means it is not logged in. After the first verification is passed, $admin equals true, is stored in a cookie, and you don’t need to verify next time, is that right? Wrong, if someone forged a $admin variable with a value of true, wouldn’t it take the management permission immediately? Very unsafe.
Session is different. Session is stored on the server side. Remote users cannot modify the content of the Session file. Therefore, we can simply store a $admin variable to determine whether to log in. After the first verification is passed, the $admin value is set to true, and then determine whether the value is true. If not, go to the login interface, which can reduce many database operations. And it can reduce the insecurity of passing passwords to verify cookies each time (Session verification only needs to be passed once, if you do not use the SSL security protocol). Even if the password is encrypted with md5, it is easy to be intercepted.
Of course, using Session has many advantages, such as easy control, and can be customized according to the user, etc. (stored in the database). I won't say much here.
Session Does it need to be set? It is generally not needed because not everyone has the permission to modify it. The default storage path of Session is the server's system temporary folder. We can customize it in our own folder. I will introduce this later.
Let’s start by introducing how to create a Session. Very simple, really.
Start the Session session and create a $admin variable:
<?php
// Start Session
session_start();
// Declare a variable named admin and assign a null value.
$_SESSION["admin"] = null;
?>
If you use Seesion, or if the PHP file wants to call the Session variable, you must start it before calling Session and use the session_start() function. Nothing else needs to be set up, PHP automatically completes the creation of the Session file.
After executing this program, we can find this Session file in the temporary folder of the system. The general file name is as follows: sess_4c83638b3b0dbf65583181c2f89168ec, followed by a random string encoded by 32 bits. Open it with the editor and take a look at its contents:
admin|N; Generally, the content is the following structure:
Variable name | Type: Length: Value; and separate each variable with a semicolon. Some can be omitted, such as length and type.
Let’s take a look at the verification program. Assume that the database stores the user name and md5 encrypted password:
<?php
// After the form is submitted...
$posts = $_POST;
// Clear some blank symbols
foreach ($posts as $key => $value) {
$posts[$key] = trim($value);
}
$password = md5($posts["password"]);
$username = $posts["username"];
$query = "SELECT `username` FROM `user` WHERE `password` = '$password' AND `username` = '$username'";
// Acquiring query results
$userInfo = $DB->getRow($query);
if (!empty($userInfo)) {
// �
session_start();
// Register the admin variable that has been successfully logged in and assign a value of true
$_SESSION["admin"] = true;
} else {
die("User name and password");
}
?>
We start Session on the page that requires user verification to determine whether to log in:
<?php
// Prevent global variables from causing safety hazards
$admin = false;
// Start the session, this step is essential
session_start();
// Judge whether to log in
if (isset($_SESSION["admin"]) && $_SESSION["admin"] === true) {
echo “You have successfully logged in”;
} else {
// Verification failed, set $_SESSION["admin"] to false
$_SESSION["admin"] = false;
die("You do not have permission to access");
}
?>
Isn't it very simple? Just think of $_SESSION as an array stored on the server side. Each variable we register is an array key, which is no different from using an array.
What should I do if I want to log out of the system? Just destroy Session.
<?php
session_start();
// This method is to destroy a variable originally registered
unset($_SESSION['admin']);
// This method is to destroy the entire Session file
session_destroy();
?>
Can Session set a survival cycle like a cookie? With Session, will you completely abandon cookies? I want to say that using Session in combination with cookies is the most convenient.
For cookies, if we want to verify whether the user is logged in, we must save the user name and password (probably a md5 encrypted string) in the cookies and verify each time the page is requested. If the user name and password are stored in the database, a database query must be executed every time, which will cause unnecessary burden on the database. Because we can't just do verification. Why? Because the information in the client cookie may be modified. If you store the $admin variable to indicate whether the user is logged in, if $admin is true, it means login, if it is false, it means it is not logged in. After the first verification is passed, $admin equals true, is stored in a cookie, and you don’t need to verify next time, is that right? Wrong, if someone forged a $admin variable with a value of true, wouldn’t it take the management permission immediately? Very unsafe.
Session is different. Session is stored on the server side. Remote users cannot modify the content of the Session file. Therefore, we can simply store a $admin variable to determine whether to log in. After the first verification is passed, the $admin value is set to true, and then determine whether the value is true. If not, go to the login interface, which can reduce many database operations. And it can reduce the insecurity of passing passwords to verify cookies each time (Session verification only needs to be passed once, if you do not use the SSL security protocol). Even if the password is encrypted with md5, it is easy to be intercepted.
Of course, using Session has many advantages, such as easy control, and can be customized according to the user, etc. (stored in the database). I won't say much here.
Session Does it need to be set? It is generally not needed because not everyone has the permission to modify it. The default storage path of Session is the server's system temporary folder. We can customize it in our own folder. I will introduce this later.
Let’s start by introducing how to create a Session. Very simple, really.
Start the Session session and create a $admin variable:
<?php
// Start Session
session_start();
// Declare a variable named admin and assign a null value.
$_SESSION["admin"] = null;
?>
If you use Seesion, or if the PHP file wants to call the Session variable, you must start it before calling Session and use the session_start() function. Nothing else needs to be set up, PHP automatically completes the creation of the Session file.
After executing this program, we can find this Session file in the temporary folder of the system. The general file name is as follows: sess_4c83638b3b0dbf65583181c2f89168ec, followed by a random string encoded by 32 bits. Open it with the editor and take a look at its contents:
admin|N; Generally, the content is the following structure:
Variable name | Type: Length: Value; and separate each variable with a semicolon. Some can be omitted, such as length and type.
Let’s take a look at the verification program. Assume that the database stores the user name and md5 encrypted password:
<?php
// After the form is submitted...
$posts = $_POST;
// Clear some blank symbols
foreach ($posts as $key => $value) {
$posts[$key] = trim($value);
}
$password = md5($posts["password"]);
$username = $posts["username"];
$query = "SELECT `username` FROM `user` WHERE `password` = '$password' AND `username` = '$username'";
// Acquiring query results
$userInfo = $DB->getRow($query);
if (!empty($userInfo)) {
// �
session_start();
// Register the admin variable that has been successfully logged in and assign a value of true
$_SESSION["admin"] = true;
} else {
die("User name and password");
}
?>
We start Session on the page that requires user verification to determine whether to log in:
<?php
// Prevent global variables from causing safety hazards
$admin = false;
// Start the session, this step is essential
session_start();
// Judge whether to log in
if (isset($_SESSION["admin"]) && $_SESSION["admin"] === true) {
echo “You have successfully logged in”;
} else {
// Verification failed, set $_SESSION["admin"] to false
$_SESSION["admin"] = false;
die("You do not have permission to access");
}
?>
Isn't it very simple? Just think of $_SESSION as an array stored on the server side. Each variable we register is an array key, which is no different from using an array.
What should I do if I want to log out of the system? Just destroy Session.
<?php
session_start();
// This method is to destroy a variable originally registered
unset($_SESSION['admin']);
// This method is to destroy the entire Session file
session_destroy();
?>
Can Session set a survival cycle like a cookie? With Session, will you completely abandon cookies? I want to say that using Session in combination with cookies is the most convenient.
12Next pageRead the full text