在 php 会话中使用_strict_mode [英] use_strict_mode in php sessions

问题描述

谁能解释一下什么是use_strict_mode 在 php.ini config 中负责?在文档中，它告诉我以下内容:

Can anyone explain me what use_strict_mode in php.ini config is responsible for? In documentation it tells me the following:

session.use_strict_mode 指定模块是否使用严格会话标识模式.如果启用此模式，则模块不接受未初始化的会话 ID.如果未初始化的会话 ID 是从浏览器，新的会话 ID 被发送到浏览器.应用程序受到保护从会话固定通过会话采用严格模式.默认值到 0(禁用).

session.use_strict_mode specifies whether the module will use strict session id mode. If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode. Defaults to 0 (disabled).

我的基本理解是它总是为你创建一个会话 ID，但我已经看到另一个 config option 与做同样的事情.所以我认为我的理解是错误的.那么我们为什么需要它呢?(我看到的最接近的是它阻止了 OWASP A9，但它没有给我很多信息).

My rudimentary understanding is that it creates always a session ID for you, but I already saw another config option with does the same. So I assume that my understanding is wrong. So why do we need it? (The closest I saw is that it prevents OWASP A9, but it does not give me a lot of information).

推荐答案

不，那不是会话自动启动.

No that is not session auto start.

也就是说，如果有人创建了一个会话 ID 并将其发送到您的服务器，而 PHP 意识到到目前为止没有使用该 ID 的会话(启用严格模式时)，PHP 将创建一个新的、不同的会话ID 将会话初始化为新的会话，而不是(当严格模式关闭时)用户注入的会话 ID 值.

That is just, that if someone creates a session ID and send it to your server, and PHP realizes that there is no session so far with that ID (when strict mode is on) , PHP will create a new, different session ID an initializes the session to that new one instead to (as when strict mode is off) the user-injected value for session ID.

关于PHP 中严格会话 ID 处理的更详细介绍和动机已在 PHP wiki 的 RFC 中进行了概述:征求意见:严格会议.

A more elaboreated introduction and the motivation about Strict Session ID Handling in PHP has been outlined in an RFC in the PHP wiki: Request for Comments: Strict Sessions.

因此，关闭严格模式后，用户可以决定要使用哪个会话 ID.

So with strict mode off, a user can decide which session ID she wants to use.

在严格模式下，用户无法决定.

With strict mode on, the user can not decide that.

因此，当您不想允许用户预定义会话 ID 值时，您需要它.您通常希望防止这种情况发生以减少攻击面.

So you need it when you do not want to allow a user to pre-define the session ID value. You normally want to prevent that to reduce the attack surface.

这篇关于在 php 会话中使用_strict_mode的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！