Home  >  Q&A  >  body text

Is it safe to store the verification in the session when doing SMS verification in php?

Is it safe for php to do mobile phone SMS verification and store the verification in the session?

session database cache

Where is the best place to store it?

欧阳克欧阳克2684 days ago1009

reply all(4)I'll reply

  • phpcn_u1582

    phpcn_u15822017-07-04 13:47:58

    Database. Several constraints must be considered for the SMS verification code: 1. The same mobile phone number cannot receive SMS messages within a certain number of seconds. 2. The same IP cannot be called multiple times within a time period. For security reasons, you may also need to add SMS messages within a day. There cannot be more than a number of items. Therefore, it is better to use a database to implement these constraints. Session definitely doesn’t work. Note: Add the graphic verification code, otherwise the interface will be vulnerable to attacks.

    reply
    0
  • 某草草

    某草草2017-07-04 13:47:58

    It is recommended to use it in the cache, such as redis memcached.
    The performance of cache is much better than that of DB

    reply
    0
  • 欧阳克

    欧阳克2017-07-04 13:47:58

    Safe, because the session is on the server and cannot be seen by the client. As for the storage method of the session, you can default to the file session, you can store the session in the database, you can also use memory to store it, such as the redis memcache that someone mentioned above, or you can use it in Under Linux, you can use a cache written by yourself. There can only be one efficiency and cost. The cost of using cache is high, but the efficiency of using database is low

    But in fact, very few companies now do this themselves, and they all use third parties. For websites with low traffic, third parties are more cost-effective. For websites with high traffic, do you still lack this money?

    reply
    0
  • 黄舟

    黄舟2017-07-04 13:47:58

    Security is relative. If you can ensure that the server can detect that the cookie has been tampered with, it is safe. This can be achieved through dynamic signatures. The dynamic signature can be a hash of value, key, and time. The server will then verify the dynamic signature. However, it is generally more convenient to use cache such as redis to implement this business scenario. It is not recommended to use session. The timeout event of session cannot be easily controlled by cache.

    reply
    0
  • Cancelreply