企业官网建设流程全解析

PHP会话管理与安全配置

会话管理是Web开发的基础知识。PHP的会话机制默认用文件存储session数据。今天说说会话的安全配置和高级用法。

基本的会话操作是session_start和$_SESSION。

```php
session_start();

$_SESSION['user_id'] = 123;
$_SESSION['username'] = '张三';

echo "欢迎: {$_SESSION['username']}\n";

function isLoggedIn(): bool
{
return isset($_SESSION['user_id']);
}

function logout(): void
{
$_SESSION = [];
if (ini_get('session.use_cookies')) {
setcookie(session_name(), '', time() - 3600, '/');
}
session_destroy();
}
?>
```

会话安全配置很重要。httponly、secure、samesite这些参数要设置好。

```php
ini_set('session.use_strict_mode', 1);
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_samesite', 'Lax');
ini_set('session.gc_maxlifetime', 7200);
ini_set('session.sid_length', 48);

session_start();

// 定期重新生成会话ID
if (!isset($_SESSION['_last_regenerated'])) {
$_SESSION['_last_regenerated'] = time();
} elseif (time() - $_SESSION['_last_regenerated'] > 300) {
session_regenerate_id(true);
$_SESSION['_last_regenerated'] = time();
}
?>
```

文件会话在高并发下性能不好。每个请求都要读写session文件，如果有并发请求同时访问同一个session，会触发文件锁竞争。解决方法是用Redis或数据库存储会话。

```php
class RedisSessionHandler implements SessionHandlerInterface
{
private Redis $redis;
private int $ttl;

public function __construct(Redis $redis, int $ttl = 7200)
{
$this->redis = $redis;
$this->ttl = $ttl;
}

public function open(string $savePath, string $sessionName): bool { return true; }
public function close(): bool { return true; }

public function read(string $sessionId): string
{
$data = $this->redis->get('sess:' . $sessionId);
return $data !== false ? $data : '';
}

public function write(string $sessionId, string $data): bool
{
if (empty($data)) return true;
return $this->redis->setex('sess:' . $sessionId, $this->ttl, $data);
}

public function destroy(string $sessionId): bool
{
return $this->redis->del('sess:' . $sessionId) > 0;
}

public function gc(int $maxlifetime): int { return 0; }
}

$redis = new Redis();
$redis->connect('127.0.0.1', 6379);
$handler = new RedisSessionHandler($redis);
session_set_save_handler($handler, true);
session_start();
$_SESSION['user_id'] = 123;
echo "Redis会话已启动\n";
?>
```

无状态会话把session数据加密后存在客户端cookie里。服务器不存会话数据，适合需要水平扩展的场景。

```php
class TokenSession
{
private string $secret;
private int $ttl;

public function __construct(string $secret, int $ttl = 86400)
{
$this->secret = $secret;
$this->ttl = $ttl;
}

public function set(string $key, mixed $value): void
{
$data = $this->getAll();
$data[$key] = $value;
$this->save($data);
}

public function get(string $key, mixed $default = null): mixed
{
$data = $this->getAll();
return $data[$key] ?? $default;
}

public function getAll(): array
{
if (!isset($_COOKIE['auth_token'])) return [];
try {
$data = base64_decode($_COOKIE['auth_token']);
$iv = substr($data, 0, 16);
$encrypted = substr($data, 16);
$decrypted = openssl_decrypt($encrypted, 'aes-256-cbc', $this->secret, 0, $iv);
return json_decode($decrypted, true) ?: [];
} catch (\Exception $e) {
return [];
}
}

private function save(array $data): void
{
$json = json_encode($data + ['exp' => time() + $this->ttl]);
$iv = openssl_random_pseudo_bytes(16);
$encrypted = openssl_encrypt($json, 'aes-256-cbc', $this->secret, 0, $iv);
setcookie('auth_token', base64_encode($iv . $encrypted), time() + $this->ttl, '/', '', true, true);
}

public function destroy(): void
{
setcookie('auth_token', '', time() - 3600, '/');
}
}
?>

会话管理要处理好安全性、性能和可扩展性的平衡。文件session简单但性能差，Redis session性能好，无状态session最适合分布式环境。选择哪种方案要根据项目规模来定。