Mainly here are the risks:

主要有以下风险：

• Session hiHymaning
• Session fixation

• 会话劫持
• 会话固定

Consider using OWASPto do against it.

考虑使用OWASP来对付它。

Also have a look at:

也看看：

PHP Security Guide

PHP 安全指南

The answer by sAc is very good. However, don't rule out "sessions" because of this.

sAc 的回答非常好。但是，不要因此排除“会话”。

I've successfully deployed custom sessions which, among other things, fixes hiHymaning, password reversal (md5/rainbow) and (if used correctly) session fixation.

我已经成功部署了自定义会话，其中包括修复劫持、密码反转 (md5/rainbow) 和（如果使用正确）会话固定。

By "successfully deployed" I mean passing penetration testing and (of course) actually being better than the traditional.

“成功部署”是指通过渗透测试，并且（当然）实际上比传统的更好。

There is no "secret" or obscure security; basically, it generates a random (and database-wise unique) number (actually, a guid in my case) per user account and stores the guid+username as the normal method (instead of username+hashed/salted password). Next, it binds this guid with the user's ip address. Not infallible, but using a guid and per-ip already is an improvement over the current session system. Of course, there are flaws which open up after specific targeting (such as ip spoofing+the hiHymaned guid and username). But in general, it's a way better alternative.

没有“秘密”或模糊的安全；基本上，它为每个用户帐户生成一个随机（和数据库方面唯一的）数字（实际上，在我的情况下是一个 guid），并将 guid+用户名存储为正常方法（而不是用户名+散列/加盐密码）。接下来，它将此 guid 与用户的 ip 地址绑定。并非绝对可靠，但使用 guid 和 per-ip 已经是对当前会话系统的改进。当然，有一些缺陷在特定目标后会暴露出来（例如 ip 欺骗 + 被劫持的 guid 和用户名）。但总的来说，这是一种更好的选择。

The biggest risk is if IPs aren't associated with a session, and session IDs are accepted without verifying they come from the IP that started them (or at least an IP in the same subnet). This allows someone to send a link to an already-started session, where the unwitting dupe might need to log in. Upon doing so, the SESSION is considered logged in -- and the hacker that sent the link (who already has the session ID) has access to our rube's account. Or it could happen the other way around, where the user's already logged in and doesn't have cookies enabled, so a PHPSESSID value is stored in every link. If the user pastes a link to someone, they're also effectively pasting their access to the site.

最大的风险是如果 IP 不与会话相关联，并且会话 ID 被接受而无需验证它们来自启动它们的 IP（或至少是同一子网中的 IP）。这允许某人发送一个链接到一个已经开始的会话，不知情的骗子可能需要在那里登录。这样做后，会话被视为登录 - 发送链接的黑客（已经拥有会话 ID ) 可以访问我们的 rube 帐户。或者也可能发生相反的情况，即用户已经登录并且没有启用 cookie，因此 PHPSESSID 值存储在每个链接中。如果用户将链接粘贴到某人，他们也有效地粘贴了对站点的访问。

In order to prevent this, a decent site will avoid starting a session til there's something to store in it, and keep track of what IP the session was intended for. And to exploit it, an attacker will look for a site that sends a PHPSESSID query string value in each link from the home page, or sends a similarly named cookie on the index page.

为了防止这种情况，一个像样的站点将避免启动会话，直到有东西存储在其中，并跟踪会话的目的 IP。为了利用它，攻击者会寻找一个站点，该站点在主页的每个链接中发送 PHPSESSID 查询字符串值，或者在索引页面上发送类似名称的 cookie。

Here is a good discussion on the subject: http://phpsec.org/projects/guide/4.html

这是关于这个主题的一个很好的讨论：http: //phpsec.org/projects/guide/4.html

PHP Sessions use session identifiers, and haxxors can try all possible identifiers with a small change they got a valid one. Also, these identifiers are stored in cookies and can be intercepted. A third possibility is that PHP can be buggy and create two sessions with the same identifier. Also, session data is stored in files on the disk, which is unsecured. Instead, databases need a password.

PHP Sessions 使用会话标识符，haxxor 可以尝试所有可能的标识符，只要稍作改动就可以得到一个有效的标识符。此外，这些标识符存储在 cookie 中并且可以被拦截。第三种可能性是 PHP 可能有问题并使用相同的标识符创建两个会话。此外，会话数据存储在磁盘上的文件中，这是不安全的。相反，数据库需要密码。

It is actually not possible to prevent the first two reasons, but the third and forth ones can be. For example, store your session data in a database.

前两个原因实际上无法阻止，但第三个和第四个原因可以。例如，将会话数据存储在数据库中。