table of Contents
$_SESSION completes the reading and writing of session data
Use cookies to verify user login
Cookie risk experiment (cookies are stolen)
1.php (open session mechanism)
Use session mechanism to realize user login authentication
Session control
When browsing the web, the HTTP protocol is used.
The client sends a request, the
server gives a response
COOKIE
cookie is "identity card"
A piece of text stored on the client, file|string (in most cases, string)
The server sends to the client (cookies are stored in the client)
Each time the client browser sends a request, it will automatically carry cookie information
Cookie information is also in the form of key-value pairs
The cookie information is written from the server to the client
Set cookie statement: setcookie();
<?php
setcookie("name","GGG"); //setcookie就是PHP中设置cookie的一个语句,服务器端向客户端写入
?>What setcookie returns is a Boolean value!
Attributes (characteristics) of setcookie:
name The name of the cookie
value Cookie value
expire expiration time (termination; expiration)
path Cookie effective path
domain Cookie's domain name
secure https (If it is not https, cookies will not be used)
httponly is only accessed through the http protocol, not through JS
Where can I read the cookie information of the browser? F12--Storage
The process of writing a cookie (identity card) from the server to the client: the
browser automatically carries the cookie information when accessing the page
1.php code:
<?php
setcookie("name","AJEST",null,null,null,null,null);
// setcookie有七个参数
//过期时间写null就是浏览器关闭的时候到期
//路径写null就是默认
//null就是默认,不写就用默认选项
/*
name Cookie的名称
value Cookie的值
expire 过期时间(终止; 到期)
path Cookie的有效路径
domain Cookie的域名
secure https(如果不是https,cookie就用不了)
httponly 仅仅通过http 协议访问,不能通过JS访问
*/
?>
How does the server receive cookie information
$_COOKIE
2. PHP code:
<?php
var_dump($_COOKIE);
?>
Through this process, the process of issuing the ID card and uploading the ID card is completed:
the issuing is through setcookie().
How do we provide the ID card information? (Each time the client browser sends a request, it will automatically carry cookie information)
Steal and deception
Steal is to be stolen, that is, your ID card is lost (the ID is placed on the client side), and
deception is that the attacker deceives the server
In fact, the ID card is not safe on the browser side, so we can consider putting the ID card on the server side.
If we put the ID card on the server side, this mechanism is called Session mechanism.
session mechanism
Session will put our ID card on the server side, but the session mechanism must rely on cookie implementation, indicating that our cookie is a text stored on the browser side, session is our user information is stored on the server side, but our session depends on the cookie. To achieve, our session has an attribute called session id, which is also sent to the browser.
Session id also has the risk of stealing and deceiving, but our ID card on the server side is safer than on the browser side!
session_start
The realization of session we need session_start
<?php
session_start();//开启session机制
?>
Then open a browser localhost/1.php, you will find that the session id of the two browsers are different, which means that through this session id, you can distinguish between different users. The
session is placed on the server side, so what is it on the server side? Where is it? Under which cache
$_SESSION completes the reading and writing of session data
Source code
Use cookies to verify user login
index.php
<meta charset="utf-8">
<h1>刹那芳华论坛</h1>
<?php
if(isset($_COOKIE['name'])){
echo "欢迎您,{$_COOKIE['name']} <a href='./logout.php'>注销</a>";
}else{
echo "<a href='./login.php'>请登录</a>";
}
?>login.php
<meta charset="utf-8">
<?php
if(isset($_POST['userSubmit'])){
if(isset($_POST['userName']) && $_POST['userName']=="AJEST"
&& isset($_POST['userPass']) && $_POST['userPass']=="123456"
){
if(setcookie("name","AJEST")){
echo "登录成功,<a href='./index.php'>返回首页</a>";
}else{
echo "设置cookie错误";
}
}else{
echo "用户名或密码错误<a href='./login.php'>请重新登录</a>";
}
}else{
$htm=<<<HTML
<form
action=""
method="post"
>
用户名:<input type="text" name="userName"><br/>
密码:<input type="password" name="userPass"><br/>
<input type="submit" name="userSubmit" value="登录"><br/>
</form>
HTML;
echo $htm;
}
?>
logout.php
<meta charset="utf-8">
<?php
setcookie("name",$_COOKIE['name'],time()-3600); //time()是当前时间
echo "已注销,<a href='./index.php'>返回首页</a>";
?>Enter the homepage (index.php)
Login (login.php)
Logout (logout.php)
Cookie risk experiment (cookies are stolen)
Steal cookies and log in directly
Log in on a browser
Open the localhost page of another browser and see that it is not logged in, but because we know that the cookie information has been stolen
We open the console panel and write information such as cookie
document.cookie=("name=AJEST")
Refresh the page again, you can log in directly
Now, we log out of the first browser page, and the cookie information is cleared
But no effect on another browser
1.php (open session mechanism)
<?php
session_start();//开启session 机制
$_SESSION['name']="GGG";
$_SESSION['age']=24;
?>
Will generate a file on the server side:
In contrast, the session is relatively safe
2.php()
<?php
session_start();
var_dump($_SESSION);
?>
我们只要在页面中开启了session_start
2.php就会根据我们客户端传过来的session id去找我们对应的缓存
如果缓存有值,$_SESSION就会获取存储在服务器端的session的这些变量
Open the session file on the server side, you will see the information we set up in it
Use session mechanism to realize user login authentication
index.php
<?php
session_start();//session_start()要写在最前面,前面不能有任何输出
?>
<meta charset="utf-8">
<h1>刹那芳华论坛</h1>
<?php
if(isset($_SESSION['userName']) && $_SESSION['userName'] =="GGG")
{
echo "欢迎您,{$_SESSION['userName']} <a href='./logout.php'>注销</a>";
}
else
{
echo "<a href='./login.php'>请登录</a>";
}
?>login.php
<?php
session_start();
echo "<meta charset='utf-8'>";
?>
<?php
if(isset($_POST['userSubmit'])){
if(
isset($_POST['userName']) &&
isset($_POST['userPass']) &&
$_POST['userName'] == "GGG" &&
$_POST['userPass'] == "123456"
){
$_SESSION['userName'] = $_POST['userName'];
echo "登录成功,<a href='./index.php'>返回首页</a>";
}else{
echo "用户或密码错误,<a href='./login.php'>请重新登录</a>";
}
}else{
$html=<<<HTML
<form
action=""
method="post"
>
用户名:<input type="text" name="userName"><br />
密码:<input type="password" name="userPass"><br />
<input type="submit" name="userSubmit" value="登录">
</form>
HTML;
echo $html;
}
?>logout.php
<?php
session_start();
session_destroy();//session的注销函数
echo "<meta charset='utf-8'>已注销,<a href='./index.php'>返回首页</a>";
?>
On the server side, a file corresponding to the session value is generated, and the file is empty
login successful
Let’s look at our server-side session file again, and store the login authentication information
Back to homepage
Logout
Correspondingly, on the server side, the session file is emptied and deleted
session security experiment
We open it in another browser and use the session value to log in to the test
Store information in the corresponding session value file on the server side
Open another browser and generate a new sess value
Replace the previous sess value
Refresh: just go in
When we log out on the first browser
Using the previous session value on another browser will invalidate
Because the content of the session file corresponding to the server side has been emptied, the entire sessiom value is invalid
Therefore, we should also pay attention to this link in our daily life. It is a good habit to log out at will!
