自定义电子商务网站上的PHP会话安全性,我该怎么做?
Hi I have a website going live shortly that has a very simple system whereby customers can purchase a single item from the website. I am using PHP Sessions to store the customers product, personal and bank details as they move through the site.
However I am concerned that I do not have any PHP Session security/not enough or not done properly. I have read Chris Shiflett's page on security and tried implement his methods but I really haven't been able to grasp or understand what needs to be done and I think that what I currently have in place isn't even working.
My current code is very small and only appears at the start of any page with "session_start()" and here it is:
session_start();
if (!isset($_SESSION['initiated']))
{
session_regenerate_id();
$_SESSION['initiated'] = true;
}
To be honest I really have no idea what this is doing apart from regenerating the session id if $_SESSION['initiated'] is not true.
Could someone please suggest some session security methods that I can implement into my site and any other security measures you think might be required.
Thanks in advance.
Daniel.
您好我的网站即将上线,有一个非常简单的系统,客户可以从网站上购买单个项目 。 我正在使用PHP Sessions在客户通过网站时存储产品,个人和银行详细信息。 p>
但是我担心我没有任何PHP会话安全性/不够或 做得不好。 我已经阅读了Chris Shiflett关于安全性的页面,并尝试实施他的方法,但我真的无法掌握或理解需要做什么,我认为我现有的工作甚至都没有工作。 p>
我当前的代码非常小,只出现在任何带有“session_start()”的页面的开头,这里是: p>
session_start() ;
if(!isset($ _ SESSION ['initiated']))
{
session_regenerate_id();
$ _SESSION ['initiated'] = true;
}
code> pre>
说实话,如果$ _SESSION ['initiated']不为真,除了重新生成会话ID之外,我真的不知道这是做什么的。 p>
有人可以建议我可以在我的网站中实施一些会话安全方法以及您认为可能需要的任何其他安全措施。 p>
提前致谢。 p>
丹尼尔。 p>
div>
Your code is wrong I don't see why you wrote this way.
your logic on first request:
if not exists create session_id
if user appears first time
generate new session_id
save initiated = true
show your page with initiated = true
second request appears:
show your page with initiated = true
any visit initiated = true and same session_id. so initiated all the time will be same true if it is first, second, third.. visit
so your code does only one thing: on the first visit generates two session_id and saves initiated = true this don't provide any security.
you should create user system and then save items what user purchased or something similar
UPDATE
You can ask customer his email address and then send confirmation to email, save email and product id in database so one email one product.
yes customer can create second email and try to buy one more but sessions also can be manipulated just remove session cookie or restart browser and you can go buy one more time..
This would check if a session already exists ($_SESSION['initiated'] == TRUE). And if it does not, it would create one. The PHP Session store the session information onto the server so it is secure enough.