P.S:您可以通过使用来更好地保护您的cookiehttp_only cookie http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html。对于 PHP 你可以阅读http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html. 我忘记对这个会话示例执行此操作,但确实将其用于 cookie 示例:(。当您使用此功能时,大多数浏览器(支持 httponly)都无法从 JavaScript 读取您的 cookie。要在会话中使用 httponly cookie:ini_set("session.cookie_httponly", 1);
在 PHP 中设置 cookie 和不设置 cookie 有什么区别
过期(意味着它随着浏览器关闭而过期)并设置
会话变量
他们可以跟踪相同的信息,但使用 cookie(不使用会话),所有信息都存储在用户/网络浏览器上,这些信息可能被黑客窃取,甚至被更改以提供虚假信息。对于简单的事情,您可以使用 cookie,但我认为您也可以使用会话,因为当您使用 cookie 时,您需要通过线路传输更多信息。
互联网(HTTP http://nl.wikipedia.org/wiki/Hypertext_Transfer_Protocol)标准是无状态协议 http://en.wikipedia.org/wiki/Stateless_protocol(无内存)其优点是简化了服务器设计。互联网使用cookie http://en.wikipedia.org/wiki/HTTP_cookie让它“记住”。
Session仅使用cookie来存储PHPSESSID http://www.php.net/manual/en/session.configuration.php#ini.session.name里面的饼干。标准其余信息存储在disc http://www.php.net/manual/en/session.configuration.php#ini.session.save-handler这是保持状态(存储敏感信息)的更安全的方式。你也可以加密你的cookie https://stackoverflow.com/questions/173727/how-to-save-encrypted-data-in-cookie-using-php这样做,但我认为sessions http://en.wikipedia.org/wiki/Session_%28computer_science%29这是做到这一点的好方法。
您可以覆盖此行为,并且当您的网站流量较高时可能应该使用类似内存缓存 http://memcached.org/redis http://redis.io仅将会话信息存储在内存中(内存比旋转磁盘读取文件要快得多,因为内存也没有移动部件并且非常靠近 CPU)。为此,您需要覆盖会话设置保存处理程序 http://www.php.net/manual/en/function.session-set-save-handler.php。用redis做起来非常简单。要安装 redis 只需输入make
. Predis https://github.com/nrk/predis是推荐(流行)的 PHP Redis 客户端库。要将会话信息保存在 redis 中,您可以使用redis-session-php https://github.com/ivanstojic/redis-session-php.
Session
Code
我创建了一个非常简单的 php 文件来演示会话。
<?php
session_start();
if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
}
echo $_SESSION['count']++;
卷曲第一次保存cookie
我在用乌班图 http://en.wikipedia.org/wiki/Ubuntu below.
alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl http://localhost/stackoverflow/6717214/session.php -v -c cookie
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/session.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 12:13:43 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Added cookie PHPSESSID="eauo6se9o34oegs57nuhs5u3b7" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=eauo6se9o34oegs57nuhs5u3b7; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
0
-
-v
:让操作更懂事
-
-c
:操作后将cookie写入此文件
接下来我们显示会话创建的输出 cookie
alfred@alfred-laptop:~/www/stackoverflow/6717214$ cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
localhost FALSE / FALSE 0 PHPSESSID d5jfijp8515pbhnoe43v4rau97
标准 PHP 使用文件系统来存储属于会话的数据(PHPSESSID)。对我来说,文件位于/var/lib/php5
alfred@alfred-laptop:~/www/stackoverflow/6717214$ php -r "echo session_save_path();"
/var/lib/php5
正如你所看到的,它存储了这些信息file sess_d5jfijp8515pbhnoe43v4rau97
。它正在使用连载 http://php.net/manual/en/function.serialize.php在幕后将对象转换为字符串。
alfred@alfred-laptop:/var/lib/php5$ sudo cat sess_d5jfijp8515pbhnoe43v4rau97
count|i:1;
我需要sudo http://en.wikipedia.org/wiki/Sudo因为我可以标准不从该位置读取
alfred@alfred-laptop:/var/lib$ sudo ls -la /var/lib/ | grep php5
drwx-wx-wt 2 root root 4096 2011-07-16 14:16 php5
The read bit http://www.comptechdoc.org/os/linux/usersguide/linux_ugfilesp.html尚未为该目录设置
使用保存的 cookie 进行第二次卷曲
alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -v -b cookie http://localhost/stackoverflow/6717214/session.php
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/session.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> Cookie: PHPSESSID=d5jfijp8515pbhnoe43v4rau97
>
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 12:28:59 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
1
-
-b
:用于读取 cookie 的 cookie 字符串或文件
正如您所看到的,我们可以在不将任何信息存储在 cookie 内的情况下进行计数。我们使用相同的 cookie 来记住我们的状态。您还可以看到光盘上的信息已更改以反映这一点。
alfred@alfred-laptop:~/www/stackoverflow/6717214$ sudo cat /var/lib/php5/sess_d5jfijp8515pbhnoe43v4rau97
count|i:2;
Cookies
当仅使用 cookie 时,所有内容都存储在用户计算机上。
Code
<?php
$counter = 0;
if (isset($_COOKIE['counter'])) {
$counter = $_COOKIE['counter'] + 1;
}
setCookie("counter", $counter, NULL, NULL, NULL, NULL, TRUE);
echo $counter;
第一次使用 Curl 存储 cookie
alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -c cookie -v http://localhost/stackoverflow/6717214/cookie.php
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/cookie.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 13:22:03 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Added cookie counter="0" for domain localhost, path /stackoverflow/6717214/, expire 0
< Set-Cookie: counter=0; httponly
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
0
当我们输出 cookie 时,我们得到:
alfred@alfred-laptop:~/www/stackoverflow/6717214$ cat cookie
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
#HttpOnly_localhost FALSE /stackoverflow/6717214/ FALSE 0 counter0
正如您所看到的,所有内容都存储在 cookie 中并通过网络发送。
Curl 第二次使用 cookie
alfred@alfred-laptop:~/www/stackoverflow/6717214$ curl -b cookie -c cookie -v htp://localhost/stackoverflow/6717214/cookie.php
* About to connect() to localhost port 80 (#0)
* Trying ::1... Connection refused
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /stackoverflow/6717214/cookie.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> Cookie: counter=0
>
< HTTP/1.1 200 OK
< Date: Sat, 16 Jul 2011 13:32:24 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Replaced cookie counter="1" for domain localhost, path /stackoverflow/6717214/, expire 0
< Set-Cookie: counter=1; httponly
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0
1