26  

First, let me tell you this. Nothing is 100% secure. Nothing is air tight, and nothing is sacred. If motivated enough, an attacker will break every server-side defense you may put (unless you are using HTTPS, which is a different story).

首先，我告诉你这个。没有什么是100％安全的。没有什么是气密的，没有什么是神圣的。如果有足够的动力，攻击者就会破坏你可能提出的每一个服务器端防御（除非你使用HTTPS，这是一个不同的故事）。

You may use cookies, but cookies are highly exposed and easily modified. Never store private data, or access levels in a cookie. As it is easily stolen/modified by an attacker.

您可以使用cookie，但cookie是高度暴露的并且易于修改。永远不要在cookie中存储私人数据或访问级别。因为它很容易被攻击者窃取/修改。

Sessions are not 100% safe either. The session ID, which the server uses to identify the client, is sent by one of 2 ways. a $_GET variable (bad), or a cookie (better, but still pretty bad). Meaning, if you are logged in as the administrator, over an unsecured WiFi, a skilled attacker (and by skilled I mean a pr0 haxx0r that downloaded a simple HTTP sniffer) can easily steal your SESSION ID. And while not getting your password, the server will wrongly identify the attacker as you, and grant him any access you may have/had.

会话也不是100％安全。服务器用于标识客户端的会话ID通过以下两种方式之一发送。 $ _GET变量（坏）或cookie（更好，但仍然非常糟糕）。这意味着，如果您以管理员身份登录，通过不安全的WiFi，熟练的攻击者（以及熟练的我是指下载简单的HTTP嗅探器的pr0 haxx0r）可以轻松窃取您的SESSION ID。虽然没有收到您的密码，但服务器会错误地将攻击者识别为您，并授予他您可能拥有/拥有的任何访问权限。

So what to do? Sessions are on most cases safe. Advise your users to not log in under an unsecured network (buses, internet cafes, etc.). If you want to allow your user authorization to persist over time, a cookie is required. I usually use a 2 cookie system if I need that:

那么该怎么办？在大多数情况下，会话安全。建议您的用户不要在不安全的网络（公交车，网吧等）下登录。如果您希望允许用户授权持续一段时间，则需要cookie。如果我需要，我通常使用2 cookie系统：

userid=12345
hash=$userid . $password . $user_specific_random_pregenerated_salt

Then I have something to match against, and the user's details weren't revealed.

然后我有一些东西可以匹配，并且没有透露用户的详细信息。

But like I said, in the end of the day, if you really REALLY wanted to secure your users, in above to everything else written in this answer, get yourself HTTPS.

但就像我说的那样，在一天结束的时候，如果你真的真的想要保护你的用户，那么在上面写下这个答案中的其他内容，就可以获得HTTPS。

7  

I would use a session.

我会用一个会话。

To help a little on security, once a users credentials have been verified use session_regenerate_id - since the session id is what is passed across in a cookie this is important if someone is sniffing around while login in processed.

为了帮助提高安全性，一旦验证了用户凭据，就使用session_regenerate_id - 因为会话ID是在cookie中传递的内容，如果有人在登录处理时嗅探，这很重要。

DO NOT STORE any information in the session pertaining to access credentials - a userId is often sufficient; personally I build a user object which I store in the session (these get auto serialized/unserialized between request - but you can read on that independantly).

不要在会话中存储与访问凭证相关的任何信息 - userId通常就足够了;我个人构建了一个用户对象，我在会话中存储（这些在请求之间自动序列化/反序列化 - 但你可以独立阅读）。

IF you wish to set a cookie so the user doesn't have to login on the next visit perhaps store the userId and an autogenerated token which can be checked against in the database (or similar) - I would add extras to the checking too - like storing the last ipaddress with the token to check as well, if they don't match then ask for login once more.

如果您希望设置一个cookie，这样用户就不必在下一次访问时登录，也可以存储userId和一个可以在数据库中检查的自动生成的令牌（或类似的） - 我也会在检查中添加额外内容 - 比如存储带有令牌的最后一个ipaddress，如果它们不匹配，则再次请求登录。

There are quite a few approaches that can be taken - I don't offer all/'the best' - get your code reviewed by people in a php community - you learn more that way.

有很多方法可以采取 - 我不提供所有/'最好的' - 让你的代码在php社区中得到人们的审查 - 你可以通过这种方式了解更多。

4  

If a person has a login and password, this can be set as a cookie in their browser so they do not have to re-login to your website every time they visit. You can store almost anything in a browser cookie. The trouble is that a user can block cookies or delete them at any time. If, for example, your website's shopping cart utilized cookies, and a person had their browser set to block them, then they could not shop at your website.

如果某人拥有登录名和密码，则可以在浏览器中将其设置为cookie，这样他们每次访问时都无需重新登录您的网站。您几乎可以在浏览器cookie中存储任何内容。问题是用户可以随时阻止cookie或删除它们。例如，如果您的网站的购物车使用了Cookie，并且某人将其浏览器设置为阻止它们，则他们无法在您的网站上购物。

When you store data in cookies, you must be absolutely certain that users can’t tamper with the data in any way. There’s no way to keep users from altering the data in a cookie; it’s absurdly easy. So, in order to ensure that your website doesn’t accept cookies containing altered data, you need to either encrypt the cookie values or sign them with a hash that allows you to verify their integrity.

在cookie中存储数据时，您必须绝对确定用户不能以任何方式篡改数据。没有办法阻止用户改变cookie中的数据;这太荒谬了。因此，为了确保您的网站不接受包含更改数据的cookie，您需要加密cookie值或使用允许您验证其完整性的哈希值对其进行签名。

1  

As @Madara said nothing is 100% secure and correct but as developer point of view I would say each and every methods of retaining user's session data has its own advantages and disadvantages for instance.

正如@Madara所说，没有什么是100％安全和正确的，但作为开发人员的观点，我会说保留用户会话数据的每一种方法都有其自身的优点和缺点。

User Data in Cookies vs Session

Cookie与会话中的用户数据

If you are keeps user's session data in cookies it will consume less server's RAM memory and processing because you don't have to keep logged user's info into RAM. also if user increases then its recommended to keep user session data in cookies rather than session because keeping in session would consume server resources and your application could be slower and non responsive sometime. where as if you are keeps user's logged in data into session It would be secure than cookies but it would consume more server resources.

如果您将用户的会话数据保存在cookie中，它将消耗较少的服务器RAM内存和处理，因为您不必将记录的用户信息保存到RAM中。此外，如果用户增加，那么建议将用户会话数据保留在cookie而不是会话中，因为保持会话将消耗服务器资源，并且您的应用程序可能会更慢并且无响应。好像你在哪里保持用户登录数据到会话它比cookie更安全，但它会消耗更多的服务器资源。

On final note: Both the ways are correct in its own implementation also if your application is using HTTPS protocol then security shouldn't be a concern. so I would suggest use methods of retaining user's session data according to the application's and business model's requirement.

最后说明：如果您的应用程序使用HTTPS协议，那么这两种方式在其自己的实现中都是正确的，那么安全性不应该是一个问题。所以我建议根据应用程序和业务模型的要求使用保留用户会话数据的方法。

1  

Best practice is to use PHP sessions.

最佳做法是使用PHP会话。

A PHP session is maintained by having the browser return a cryptographically secure (that is, not guessable as to the next valid value) string known as the session ID each time it makes a request during that session. The best and safest way to do that is to give the browser a session cookie, which it will then send with each request.

通过让浏览器在该会话期间每次发出请求时返回加密安全（即，不能猜测下一个有效值）字符串（称为会话ID）来维护PHP会话。最好和最安全的方法是为浏览器提供一个会话cookie，然后它将随每个请求一起发送。

The alternative method to using a session cookie is to included the PHP Session ID in the request URL itself as a GET variable. An example URL might look something like:

使用会话cookie的另一种方法是将PHP会话ID作为GET变量包含在请求URL本身中。示例网址可能如下所示：

https://www.example.com/mypage.php?PHPSESSID=cteekbf64igp5vdjjkktvoeb97

https://www.example.com/mypage.php?PHPSESSID=cteekbf64igp5vdjjkktvoeb97

This is not as secure as using a cookie, because the URL might accidentally get shared or stolen via other means.

这不如使用cookie那么安全，因为URL可能会意外地通过其他方式共享或被盗。

Security is many layered, like an onion (as the common example goes). The more secure you make something, the more effort it takes to make it secure, and the less convenient it is to use. It's a cost-benefit trade off. So you have to ask, how important is your data, is your user's privacy and safety, etc.

安全性很多，就像洋葱一样（常见的例子）。您制作的内容越安全，安全性越高，使用起来就越不方便。这是一次成本效益权衡。所以你必须问，你的数据有多重要，你的用户的隐私和安全等等。

For me, a base level would be to use PHP sessions with the session ID forced to be in cookies (block users who disable cookies), SSL encryption all the time, on both data and the cookies, and make sure the various PHP settings which affect security for sessions are set to the best, most secure settings. You'll want to read everything on these pages and child pages:

对我来说，基本级别是使用PHP会话，强制在cookie中的会话ID（阻止禁用cookie的用户），SSL加密，数据和cookie，并确保各种PHP设置影响会话的安全性设置为最佳，最安全的设置。您将要阅读这些页面和子页面上的所有内容：

• http://php.net/manual/en/intro.session.php
• http://php.net/manual/en/intro.session.php
• http://php.net/manual/en/session.security.php
• http://php.net/manual/en/session.security.php