php 会话 &内嵌框架 [英] php session & iframe

问题描述

我在这里阅读了几篇相关的帖子，但似乎无法让我的脚本按预期工作.

I have read a couple of related posts here, but cannot seem to be able to make my script work as intended.

我有一个用户登录的登录页面.如果密码匹配，脚本将两个值写入 $_SESSION 变量:['loggedin']='yes' 和 ['loginname']="username".

I have a login page where a user logs in. If the password matches, the script writes two values into the $_SESSION variable: ['loggedin']='yes' and ['loginname']="username".

登录成功后，用户转到另一个包含 2 个 iframe 的页面.

After successful log in, the user goes to another page that has 2 iframes in it.

一个 iframe 使用外部内容并且不需要身份验证(从页面中删除这个 iframe 不会改变任何东西).

One iframe uses external content and does not require authentication (removing this iframe from the page does not change anything).

另一个 iframe 使用来自同一个域的动态生成的内容，并检查会话变量是否仍然存在.

The other iframe uses dynamically generated content from the same domain and does check whether the session variables are still there.

其中一个函数刷新动态生成的 iframe 的内容.

One of the functions refreshes the content of that dynamically generated iframe.

一旦完成，会话变量就会丢失.事实上，会话本身已经不存在了.

Once this is done, the session variables are lost. In fact, the session itself no longer exists.

我在与此脚本相关的每个页面上都有 session_start();.

I have session_start(); on every page that is used in connection with this script.

任何帮助将不胜感激.

推荐答案

我相信这篇文章会很有用:http://www.how2guru.com/archives/php-session-problem-while-using-iframe/

I believe this article'll be useful: http://www.how2guru.com/archives/php-session-problem-while-using-iframe/

简短的回答是:在 iframe 中，像这样启动会话:

The short answer is: in the iframe, start the session like this:

header('P3P: CP="CAO PSA OUR"');
session_start();

我想我应该更新这个答案，因为我偶然发现了一些每个人都应该知道的有趣的东西.

Thought I should update this answer, since I stumbled upon on something interesting everyone should know about.

这个 p3p 标头黑客在 safari 上不起作用.

This p3p header hack does not work on safari.

下面我描述了我的登录流程，以及我是如何解决这个问题的.

Below I describe my login flow, and how I solved this problem.

我的登录流程如下(页面应用):

My login flow looks like this (page app):

• 检查当前用户是否有会话，
• 如果没有，则重定向到登录 URL(由 PHP SDK 生成)，
• 登录对话框重定向回一个 url，在那里我使用 facebook 给我的代码"GET 参数来获取访问令牌，我可以存储该令牌以备后用.(保存到数据库和到会话.)如果我完成了，我会将用户重定向到我的页面应用程序，在那里一切都会正常工作.
• 此时每个人都应该感到高兴.

• checking if the current user has a session,
• if not, redirect to the login url (generated by the PHP SDK),
• the login dialog redirects back to a url, where I use the 'code' GET parameter facebook gives me, to get an access token, which I can store for later use. (Saving to the DB and to the session. ) If I'm done with that, I redirect the user to my page app, where everything will work.
• everyone should be happy at this point.

但是问题来了.

如果用户使用 safari，并在会话已被破坏时(例如几天后)尝试打开此应用程序，则会发生以下情况:

If a user uses safari, and tries to open this app when the sessions already got destroyed (a few days later for ex.), the following thing will happen:

• 代码检查会话:它找到用户 ID(PHP SDK getUser() 方法)，所以我首先检查数据库中的条目.
• 由于用户之前登录过，他在数据库中有一个条目，所以我只是抓取它并将其保存到一个会话中，这样以后的 AJAX 调用就可以获得他们需要的所有信息.

这里要注意的重要一点是，此代码在 iframe 内的页面选项卡中运行.

The important thing to note here, is that this code runs in a page tab within an iframe.

因此对于大多数用户来说，代码可以工作，因为 p3p 头被破解了.

So for most of the users the code will work, because of the p3p header hack.

但对于 safari 用户来说不会.

Safari 不关心给定的标题，它拒绝保存会话，因此用户登录到应用程序，一切似乎都工作正常，但 ajax 调用将不起作用，因为它们不会可以使用的任何会话.

Safari doesn't care about the given header, it refuses to save the session, hence the user logs in to the app, everything seems to work fine, but the ajax calls won't work, since they won't have any session to work with.

解决方法:

实际上很简单 - 虽然不太优雅，但是嘿，它有效.-:我检查客户端浏览器是否是 safari，如果是，我重定向到一个自定义 url，在那里我开始一个会话 - 在 facebook iframe 之外 - 然后重定向回应用程序.

Quite simple actually - Although not too elegant, but hey, it works. -: I check whether the client browser is safari or not, and if it is, I redirect to a custom url, where I start a session - outside the facebook iframe -, then redirect back to the app.

这将毫无问题地创建 cookie，因此会话将可用.

This will create the cookie without a problem, so sessions will be available.

这里有一些代码:

• 检查会话(归功于这个人)

if (strpos($_SERVER['HTTP_USER_AGENT'], 'Safari') && !strpos($_SERVER['HTTP_USER_AGENT'], 'Chrome')) {
    if (count($_COOKIE) === 0) {
     echo '<script> 
     top.location = "http://www.domain.com/setcookie.php";
     </script>';
    }
}

设置会话(setcookie.php)

setting the session (setcookie.php)

header('P3P: CP="CAO PSA OUR"');
session_start();
$_SESSION = array();

echo 
'<script>
top.location = "http://back-to-the-facebook-app.com"; 
</script>';

我希望这个额外的技巧能帮助到某人.

I hope this additional trick will help someone.

EDIT2

我还没有尝试过这个，但您可以将以下几行添加到您的 .htaccess 中，而不是添加 P3P 标头:

I didn't try this one out yet, but instead of adding the P3P header, you could just add the following lines to your .htaccess:

 <IfModule mod_headers.c>
   Header set P3P "policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT""
 </IfModule>

有评论:

# ------------------------------------------------------------------------------
# | Cookie setting from iframes                                                |
# ------------------------------------------------------------------------------

# Allow cookies to be set from iframes in IE.
# http://msdn.microsoft.com/en-us/library/ms537343.aspx
# http://www.w3.org/TR/2000/CR-P3P-20001215/

<IfModule mod_headers.c>
  Header set P3P "policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT""
</IfModule>

所有功劳都归功于 Yeoman 项目背后的人的这个 .htacces 代码.

All credit goes for this .htacces code for the guys behind the Yeoman project.

这篇关于php 会话 &内嵌框架的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！