1 通过SessionID维护网站中的用户信息
<?php
session_start();
$_SESSION['visits']++;
print 'You have visited here '.$_SESSION['visits'].' times.<br>';
echo 'session id = '.$_COOKIE['PHPSESSID'];
echo "<br>";
echo "session name = ".session_name()."<br>";
?>
SessionID记录在全局变量_COOKIE中,SessionID的名字是PHPSESSID,PHPSESSID也可以通过session_name()获得。
2 预防Session劫持
<?php
ini_set('sessio.use_only_cookies', true);
session_start();
$salt = 'YourSpecialValueHere';
$tokenstr = date('W').$salt;
$token = md5($tokenstr);
echo 'token = '.$token.'<br>';
if(!isset($_REQUEST['token']) || $_REQUEST['token'] != $token)
{
exit;
}
$_SESSION['token'] = $token;
output_add_rewrite_var('token', $token);
echo '<a href="test.php">link</a>';
ob_flush();
output_reset_rewrite_vars();
?>
<?php
session_start();
output_add_rewrite_var('var', 'value');
echo '<a href="file.php">link</a>';
ob_flush();
output_reset_rewrite_vars();
echo '<a href="file.php">link</a>';
?>
以上例程会输出:
<a href="file.php?PHPSESSID=xxx&var=value">link</a>
<a href="file.php">link</a>
3 预防Session定制
- 不会把session标志符附加到URL上的session cookie.
- 频繁的生成新的sessionID
<?php
ini_set('session.use_only_cookie', true);
session_start();
if(!isset($_SESSION['generated']) || $_SESSION['generated'] < (time() - 30))
{
session_regenerate_id();
$_SESSION['generated'] = time();
}
echo $_COOKIE['PHPSESSID']