我的桌子对吗?

Is my table right?

否.

除$_SESSION外，所有这些超全局变量都包含从客户端发出的请求中提取的数据.客户端可以为其中任何一个设置初始值(对于PHP程序的给定运行).

With the exception of $_SESSION all of those superglobals contain data pulled from the request made by the client. The client can set the initial value (for a given run of the PHP program) for any of them.

客户端无法阅读其中的任何一个. (他们可以读取浏览器发送或存储在其浏览器中的所有数据，并可以从中推断出任何这些超级全局变量中的数据(但仍不包括$_SESSION，但是他们自己无法读取这些超级全局变量).

The client can't read any of them. (They can read all the data sent by or stored in their browser and infer the data in any of those superglobals from it ($_SESSION still excepted), but they can't read the superglobals themselves).

客户端不能编辑其中的任何一个(除非发出新请求，否则将从头开始重新运行PHP程序).

The client can't edit any of them (other than by making a new request which would rerun the PHP program from the start).

$_SESSION包含存储在服务器上的数据.可以使用存储在Cookie中并由客户端发送的SESSION ID来选择特定的会话.

$_SESSION contains data stored on the server. A particular session can be selected with the SESSION ID that is stored in a cookie and sent by the client.

任何人都可以在DOM中添加伪造的表单来发布任何内容，或使用简单的Chrome扩展程序(例如EditThisCookie)来读取，创建或编辑任何COOKIE.

anyone could add a fake form inside the DOM to POST anything or use a simple Chrome extension like EditThisCookie to read, create or edit any COOKIE.

是的.不要盲目地信任来自客户端的数据.客户端可以在cookie，查询字符串或帖子正文中发送所需的任何数据.

Yes. Don't trust data from the client blindly. The client can send whatever data it wants in the cookies, query string or post body.

或者有时我使用POST方法来验证调用是否来自特定页面，但是后来我意识到客户端可以读取该表单的内容并从任何地方进行伪造.我是否也应为此目的使用SESSION?

Or sometimes I used POST method to verify that a call comes from a specific page, but then I realized that the client could read the content of that form and fake it from everywhere. Should I use SESSION for this purpose too?

您可能不在乎.

(欺骗第三方提交假数据是另一回事，但请参见此问题 ).

(Tricking a third party into submitting fake data is another matter, but see this question).

我应该在哪里存储敏感数据，例如访问令牌或用户ID?

Where should I store sensible data such as access tokens or user IDs?

访问令牌(假设它们是旨在赋予特定用户访问某些内容的令牌，而不是(例如)您的服务器用于访问第三方服务器的API密钥)必须存储在客户端上.具体位置取决于您将如何使用它.在大多数情况下，会话ID都很好.

Access tokens (providing they are tokens which are designed to give a particular user access to something and not (say) an API key that your server should use to access a third-party server) need to be stored on the client. The particular place depends on how you are going to use it. For the most part, a session ID is fine.

用户ID(假设它们被用作用户是用户ID的证据)需要以一种不能被编辑为其他人的方式进行存储.这意味着要么存储在服务器上(通常在会话中)，要么以无法更改的格式存储(例如客户端上的加密JWT).

User Ids (assuming they are being used as evidence that the user is that user Id) need to be stored in such a way that they can't be edited to someone else's. That means either being stored on the server (in a session usually) or in a format that can't be altered (like an encrypted JWT on the client).