我开发了一个使用基于cookie的会话的
PHP Web应用程序,它一切正常 – 直到我意识到它将无法在禁用第三方cookie的浏览器中工作(因为脚本将在iframe上加载另一个网站/域名).
所以我决定切换到基于URL的会话(我认为这是安全的,因为脚本在iframe中,没有可见的URL供用户共享或书签等).
但是,出于某种原因,由于我切换到基于域的会话,我的Web应用程序中的每个页面都使用不同的会话ID.
这是我的代码……
- ini_set("session.use_cookies",0);
- ini_set("session.use_only_cookies",0);
- ini_set("session.use_trans_sid",1);
- ini_set("session.cache_limiter","");
- session_start();
- echo "<p>Session ID: " . session_id() . "</p>"; // Test output
我的Web应用程序的第一页包含一个表单,我看到PHP自动添加了所需的隐藏会话ID输入:
< input type =“hidden”name =“PHPSESSID”value =“m4jbeec47uplnf95ue2h244a02”/>
但是下一页(表单提交)报告的会话ID是
会话ID:iiovfkrf3hesj1um5orasv7it6
此外,当我使用https://(而不是http://)加载第一页时,提交表单会导致重新加载相同的页面(而不是正在加载的下一页).
我已经尝试过的:
ini_set(“session.cookie_secure”,0);
和
ini_set(“session.cookie_secure”,1);
和
ini_set(‘session.gc_maxlifetime’,30 * 60); //在30分钟后到期
和(在脚本的末尾)
session_write_close();
并删除
ini_set(“session.cache_limiter”,“”);
来自PHPinfo():
- session.auto_start Off Off
- session.cache_expire 180 180
- session.cache_limiter nocache nocache
- session.cookie_domain no value no value
- session.cookie_httponly Off Off
- session.cookie_lifetime 0 0
- session.cookie_path / /
- session.cookie_secure Off Off
- session.entropy_file no value no value
- session.entropy_length 0 0
- session.gc_divisor 1000 1000
- session.gc_maxlifetime 1440 1440
- session.gc_probability 1 1
- session.hash_bits_per_character 5 5
- session.hash_function 0 0
- session.name PHPSESSID PHPSESSID
- session.referer_check no value no value
- session.save_handler files files
- session.save_path /tmp /tmp
- session.serialize_handler PHP PHP
- session.upload_progress.cleanup On On
- session.upload_progress.enabled On On
- session.upload_progress.freq 1% 1%
- session.upload_progress.min_freq 1 1
- session.upload_progress.name PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
- session.upload_progress.prefix upload_progress_ upload_progress_
- session.use_cookies On On
- session.use_only_cookies On On
- session.use_strict_mode Off Off
- session.use_trans_sid 0 0
有任何想法吗?
我认为问题必定是由于我的代码中的某个错误.我在下面创建了测试脚本,它按预期工作(在同一台服务器上):
URL的会话test.PHP的
- <?PHP
- $page_title = "URL Session Test (v11)";
- ini_set("session.use_cookies",1);
- //ini_set("session.cache_limiter","");
- ini_set('session.gc_maxlifetime',30 * 60); // expires in 30 minutes
- session_start();
- $session_id = session_id();
- $is_new_session = !isset($_SESSION["existing"]);
- $_SESSION["existing"] = true;
- if ($is_new_session) {
- $_SESSION["my_key"] = "MY PRIVATE KEY";
- }
- $my_session_key = $_SESSION["my_key"];
- $timezone = $_SESSION["timezone"];
- if ($timezone) {
- date_default_timezone_set($timezone);
- }
- if ($_POST['PHPSESSID']) {
- $session_id_received = $_POST['PHPSESSID'];
- }
- else {
- $session_id_received = "";
- }
- ?><!DOCTYPE html>
- <html>
- <head>
- <title><?PHP echo $page_title; ?></title>
- </head>
- <body>
- <h1><?PHP echo $page_title; ?></h1>
- <p>Is new session: <?PHP echo $is_new_session; ?></p>
- <p>My session key: <?PHP echo $my_session_key; ?></p>
- <p>Received session ID: <?PHP echo $session_id_received; ?></p>
- <p>Actual session ID: <?PHP echo $session_id; ?></p>
- <form method="POST">
- <input type="submit" value="Click this form submit button to see how if the above session ID is received by the next page" />
- </form>
- <a href="url-session-test.PHP">Hover over this link to check the session ID parameter</a>
- </body>
- </html>
我发现它后会发布实际的bug …
UPDATE
问题是我使用的是POST-Redirect-GET模型,而我没有将所需的PHPSESSID参数附加到GET URL!