Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce. Typically with a nonce, you have a per-page "token" so that each page checks that the last page's nonce matches what it has stored.

会话比 cookie 安全得多。但是仍然有可能窃取会话，因此黑客可以完全访问该会话中的任何内容。避免这种情况的一些方法是 IP 检查（它工作得很好，但 fi 非常低，因此本身不可靠）和使用 nonce。通常，对于随机数，您有一个每页“令牌”，以便每个页面检查最后一页的随机数是否与它存储的内容相匹配。

In either security check, there is a loss of usability. If you do IP checking and the user is behind a intranet firewall (or any other situation that causes this) which doesn't hold a steady IP for that user, they will have to re-authenticate every time they lose their IP. With a nonce, you get the always fun "Clicking back will cause this page to break" situation.

在任一安全检查中，都存在可用性损失。如果您进行 IP 检查并且用户位于 Intranet 防火墙（或导致此情况的任何其他情况）之后，该防火墙没有为该用户保留稳定的 IP，则他们每次丢失 IP 时都必须重新进行身份验证。使用随机数，您会得到总是很有趣的“单击返回将导致此页面中断”的情况。

But with a cookie, a hacker can steal the session simply by using fairly simple XSS techniques. If you store the user's session ID as a cookie, they are vulnerable to this as well. So even though the session is only penetrable to someone who can do a server-level hack (which requires much more sophisticated methods and usually some amount of privilege, if your server is secure), you are still going to need some extra level of verification upon each script request. You should not use cookies and AJAX together, as this makes it a tad easier to totally go to town if that cookie is stolen, as your ajax requests may not get the security checks on each request. For example, if the page uses a nonce, but the page is never reloaded, the script may only be checking for that match. And if the cookie is holding the authentication method, I can now go to town doing my evilness using the stolen cookie and the AJAX hole.

但是使用 cookie，黑客可以通过使用相当简单的 XSS 技术来窃取会话。如果您将用户的会话 ID 存储为 cookie，他们也容易受到此攻击。因此，即使会话只能被可以进行服务器级黑客攻击的人穿透（这需要更复杂的方法，通常需要一定数量的权限，如果您的服务器是安全的），您仍然需要一些额外的验证级别根据每个脚本请求。你不应该同时使用 cookie 和 AJAX，因为如果 cookie 被盗，这会让你更容易完全去镇上，因为你的 ajax 请求可能无法对每个请求进行安全检查。例如，如果页面使用随机数，但页面从未重新加载，则脚本可能只检查该匹配项。如果 cookie 持有身份验证方法，

Only scripts executing on your server have access to the _SESSION array. If you define the scope of the session cookie, you can even restrict it to a specific directory. The only way someone besides you could get that session data is to inject some PHP code into one of your pages.

只有在您的服务器上执行的脚本才能访问 _SESSION 数组。如果您定义会话 cookie 的范围，您甚至可以将其限制为特定目录。除了您之外的其他人可以获得该会话数据的唯一方法是将一些 PHP 代码注入您的一个页面中。

As for the system you're using, that is acceptable and is a good way to save database calls, but keep in mind that it will require the user to log out and log in again for any authorization changes to apply. So if you wanted to lock out an account and that user is already logged in, you can't.

对于您正在使用的系统，这是可以接受的并且是保存数据库调用的好方法，但请记住，它需要用户注销并再次登录才能应用任何授权更改。因此，如果您想锁定一个帐户并且该用户已经登录，则不能。

It should be noted that in Apache the PHP $_SESSION superglobal is accessible across virtualhosts. Consider this scenario:

应该注意的是，在 Apache 中，PHP $_SESSION 超全局变量可以跨虚拟主机访问。考虑这个场景：

• Your server hosts two domains, example.com and instance.org. PHP sessions are stored in cookies that are restricted to the domain.
• A user logs in to example.com and receives a session ID. Example.com sets some session variables (which are stored on the server, not in the cookie).
• A third party intercepts the cookie during transmission and passes it to instance.org. Instance.org now has access to the example.com session variables.

• 您的服务器托管两个域，example.com 和 instance.org。PHP 会话存储在仅限于域的 cookie 中。
• 用户登录 example.com 并接收会话 ID。Example.com 设置了一些会话变量（它们存储在服务器上，而不是在 cookie 中）。
• 第三方在传输过程中拦截 cookie 并将其传递给 instance.org。Instance.org 现在可以访问 example.com 会话变量。

This is not such a big deal when you control all the virtualhosts on your server, but if you are on a shared machine, it's problematic.

当您控制服务器上的所有虚拟主机时，这没什么大不了的，但是如果您在共享机器上，那就有问题了。

If you rely on a value stored inside of a session variable to determine roles then you lose the ability to change the value in the DB and have it reflected against the user's current session. If you look at Zend Framework, there's a clear distinction between authentication and authorization, and strongly-worded warnings in the manual to only store the minimal amount of data in the session (ie "Yup, he's user #37 & he logged in").

如果您依赖存储在会话变量中的值来确定角色，那么您将无法更改数据库中的值并将其反映到用户的当前会话中。如果您查看 Zend 框架，则身份验证和授权之间有明显区别，并且手册中措辞强硬的警告仅在会话中存储最少量的数据（即“是的，他是用户 #37，他已登录”） .

As far as 'safety' goes - unless you're on shared host, there's nothing to worry about. On a properly configured shared host, they should be relatively secure, too.

就“安全”而言 - 除非您使用共享主机，否则无需担心。在正确配置的共享主机上，它们也应该相对安全。