php 为什么在数据库中保存会话是好的保存?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13911210/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why is it good save to save sessions in the database?
提问by kiriappa
I have seen that codeigniter have facility to save session values in database.
It says saving session in database is good security practice.
我已经看到 codeigniter 具有将会话值保存在数据库中的功能。
它说在数据库中保存会话是一种很好的安全实践。
But I think saving session information in the database helps improve performance.
They save only a few elements of the session, such as:
但我认为在数据库中保存会话信息有助于提高性能。
它们只保存会话的几个元素,例如:
CREATE TABLE IF NOT EXISTS 'ci_sessions' (
session_id varchar(40) DEFAULT '0' NOT NULL,
ip_address varchar(16) DEFAULT '0' NOT NULL,
user_agent varchar(50) NOT NULL,
last_activity int(10) unsigned DEFAULT 0 NOT NULL,
user_data text NOT NULL,
PRIMARY KEY (session_id)
);
But if a site uses more session variables such as username, last log in time, etc, I can save them in database and use them in the program.
但是如果一个站点使用了更多的会话变量,如用户名、上次登录时间等,我可以将它们保存在数据库中并在程序中使用它们。
Do I have to add these columns to the same table? I think saving session information in the database only helps reduce web servers' memory usage (RAM). Can anybody explain in what sense does it improve security.
我是否必须将这些列添加到同一个表中?我认为将会话信息保存在数据库中只会有助于减少 Web 服务器的内存使用 (RAM)。任何人都可以解释它在什么意义上提高了安全性。
回答by zerkms
It doesn't improve security in any way.
它不会以任何方式提高安全性。
The most common and reasonable pattern to store sessions in database is when you have several frontend servers, so you need a shared session storage for them.
在数据库中存储会话的最常见和合理的模式是当您有多个前端服务器时,因此您需要为它们共享会话存储。
For downvoters: a file in filesystem isn't less secured than a record in database.
对于downvoters:文件系统中的文件并不比数据库中的记录安全。
回答by Tim S.
The idea is that sessions can't be hiHymaned.
这个想法是会话不能被劫持。
A session ID is stored in a cookie. If a hacker can steal that ID, he can pretend to be someone else, because a session is identified by... it's ID.
会话 ID 存储在 cookie 中。如果黑客可以窃取该 ID,他就可以伪装成其他人,因为会话是由...标识的。
By saving a user's session ID, IP and agent server-side (your database for example) you can compare the data saved in the database with the client. If a hacker steals someone's session ID, the hacker just might not have a matching IP and/or user-agent, making the users not match which allows you to show or hide certain content.
通过保存用户的会话 ID、IP 和代理服务器端(例如您的数据库),您可以将保存在数据库中的数据与客户端进行比较。如果黑客窃取了某人的会话 ID,黑客可能没有匹配的 IP 和/或用户代理,使用户不匹配,从而允许您显示或隐藏某些内容。
You have to compare the data manually though.
不过,您必须手动比较数据。
回答by deceze
A common security faux-pas with file-based sessions is to store them in /tmpor another shared directory where the data may be accessible to 3rd parties; especially on shared hosts this can be a problem. This can be prevented with proper file permissions though.
基于文件的会话的常见安全失礼是将它们存储在/tmp3rd 方可以访问数据的其他共享目录中;特别是在共享主机上,这可能是一个问题。不过,这可以通过适当的文件权限来防止。
Storing them in a database means you have all the access restrictions of the database in place, though that also means you need to configure them correctly and set up the physical storage of the database securely.
将它们存储在数据库中意味着您拥有数据库的所有访问限制,但这也意味着您需要正确配置它们并安全地设置数据库的物理存储。
It improves performance insofar as the database server has more layers to improve performance through caching and in-memory storage, whereas file based sessions always incur a disk access. Concurrent access can be improved since you can choose other concurrency mechanisms than file locking. If your database server is already busy with regular database work though, additionally throwing session handling at it may or may not be a good idea.
它提高了性能,因为数据库服务器有更多层通过缓存和内存存储来提高性能,而基于文件的会话总是会导致磁盘访问。由于您可以选择文件锁定以外的其他并发机制,因此可以改进并发访问。如果您的数据库服务器已经忙于常规的数据库工作,那么另外将会话处理放在上面可能是也可能不是一个好主意。
回答by Ganesh RJ
This is to answer: can I save them in the database and utilize them in the program?
这是为了回答:我可以将它们保存在数据库中并在程序中使用它们吗?
Yes, you can save them in the database,but there is no need to create a separate column for that. It goes into the userdata column.
是的,您可以将它们保存在数据库中,但无需为此创建单独的列。它进入用户数据列。
You can set the username with
$this->session->set_userdata('sessionname',session value);
您可以设置用户名
$this->session->set_userdata('sessionname',session value);
You can retrieve it with
$var=$this->session->userdata('sessionname');
你可以用
$var=$this->session->userdata('sessionname');
回答by Vincent
You don't mention if you use PHP or MYSQL, but saving your session in a database does not give you better performance, in fact quite the opposite.
您没有提到是使用 PHP 还是 MYSQL,但是将会话保存在数据库中并不会为您提供更好的性能,实际上恰恰相反。
The default file based session in PHP is much faster than retrieving session values from the database, however you won't really notice the difference until you're processing thousands of queries per second.
PHP 中基于默认文件的会话比从数据库中检索会话值快得多,但是在每秒处理数千个查询之前,您不会真正注意到差异。
回答by Nikunj K.
The application needs to be able to run on multiple servers without server affinity (methods that direct requests from the same client to the same server). An easy way to make sure that sessions continue to work properly is to store sessions in a central database that is common to all servers.
The application needs to be able to run on a shared host, where there are significant security concerns associated with storing session data in the filesystem.
The performance needs of the application are very demanding and require a more sophisticated storage solution for session data. There are many existing ideas and methodologies that address database performance issues, and these can be used when sessions are stored in a database.
应用程序需要能够在没有服务器亲缘关系的情况下在多个服务器上运行(将请求从同一客户端定向到同一服务器的方法)。确保会话继续正常工作的一种简单方法是将会话存储在所有服务器通用的中央数据库中。
应用程序需要能够在共享主机上运行,在共享主机上存在与在文件系统中存储会话数据相关的重大安全问题。
应用程序的性能需求非常苛刻,需要更复杂的会话数据存储解决方案。有许多解决数据库性能问题的现有想法和方法,当会话存储在数据库中时,可以使用这些想法和方法。
