PHP会话安全性:在数据库与更改会话中存储会话保存路径?
I am trying to create a more secure PHP sessions login script. Unfortunately for this project I will be working with shared hosting. Would using PHP's session_save_path() function to change the path to something other than /tmp be a secure solution? Or do I need to save the sessions in the database?
Thanks!
我正在尝试创建更安全的PHP会话登录脚本。 不幸的是,对于这个项目,我将使用共享主机。 使用PHP的 谢谢! p>
div> session_save_path() code>函数将路径改为 / tmp code>以外的其他东西是一个安全的解决方案吗? 或者我是否需要将会话保存在数据库中? p>
Moving the session save path is a good start. Just make sure its not in the document root.
With some shared hosted I've observed that getting a database connection can take a second or two. Storing your sessions in the db could slow the whole app down. Your session is accessed twice per page load.
You may want to test both an see which performs better.
Personally, I prefer storing sessions in the database because it not only circumvents some of the file access slowdowns associated with using a file-based system, but also gives you more direct and "supervised" methods of managing the direct session data.
Consider, if you implement using MySQL, using the Memory (HEAP) Storage Engine as it will give enormous performance benefits. This, of course, is assuming you are unlikely to have thousands upon thousands of active sessions, and that your session data is "volatile safe," i.e. if a sever crash causes session data to be lost, the worst that should happen will be that users are asked to log back in.