Is it safe to store the verification in the session when doing SMS verification in php?
欧阳克
欧阳克 2017-07-04 13:45:58
0
4
915

Is it safe for php to do mobile phone SMS verification and store the verification in the session?

session database cache

Where is the best place to store it?

欧阳克
欧阳克

温故而知新,可以为师矣。 博客:www.ouyangke.com

reply all (4)
phpcn_u1582

Database. Several constraints must be considered for the SMS verification code: 1. The same mobile phone number cannot receive SMS messages within a certain number of seconds. 2. The same IP cannot be called multiple times within a time period. For security reasons, you may also need to add SMS messages within a day. There cannot be more than a number of items. Therefore, it is better to use a database to implement these constraints. Session definitely doesn’t work. Note: Add the graphic verification code, otherwise the interface will be vulnerable to attacks.

    某草草

    It is recommended to use it in the cache, such as redis memcached.
    The performance of cache is much better than that of DB

      学霸

      Safe, because the session is on the server and cannot be seen by the client. As for the storage method of the session, you can default to the file session, you can store the session in the database, you can also use memory to store it, such as the redis memcache that someone mentioned above, or you can use it in Under Linux, you can use a cache written by yourself. There can only be one efficiency and cost. The cost of using cache is high, but the efficiency of using database is low

      But in fact, very few companies now do this themselves, and they all use third parties. For websites with low traffic, third parties are more cost-effective. For websites with high traffic, do you still lack this money?

        黄舟

        Security is relative. If you can ensure that the server can detect that the cookie has been tampered with, it is safe. This can be achieved through dynamic signatures. The dynamic signature can be a hash of value, key, and time. The server will then verify the dynamic signature. However, it is generally more convenient to use cache such as redis to implement this business scenario. It is not recommended to use session. The timeout event of session cannot be easily controlled by cache.

          Latest Downloads
          More>
          Web Effects
          Website Source Code
          Website Materials
          Front End Template
          About us Disclaimer Sitemap
          php.cn:Public welfare online PHP training,Help PHP learners grow quickly!