session_regenerate_id()在IE11/Edge中不起作用 [英] session_regenerate_id() doesn't work in IE11/Edge

问题描述

我有标准的身份验证情况...访客填写登录名+密码形成表格，php脚本在数据库中对其进行身份验证，然后重定向回某个页面.

I have standard authentication situation... Visitor fills login+password to form, php script authenticates it in database a redirects back to some page.

在此过程中，我们仅在重定向之前成功对客户进行身份验证时添加session_regenerate_id(true).一切在Chrome中都可以正常运行，但在IE11的某些版本(并非全部)和最新版本的Edge(在虚拟框中尝试过-从modern.ie下载)中不起作用.也许在某些其他浏览器中不起作用.

In this process, we just add session_regenerate_id(true) when the customer is successfully authenticated just before the redirect. Everything works fine in Chrome, but it doesn't work in some versions (not all) of IE11 and latest version of Edge (tried in virtual box - download from modern.ie). Maybe it doesn't work in some other browsers.

它如何在Chrome中运行:

How does it work in Chrome:

• 具有登录表单的客户端加载页面-他的会话ID为AAA
• 客户端发送表单-请求的会话ID为AAA
• 客户端正在通过身份验证-session_regenerate_id(true)已调用
• 响应具有Set-cookie和会话ID BBB(+位置:YYY)
• 浏览器通过会话ID BBB向YYY发送请求
• 响应没有set-cookie，因此会话ID为BBB
• 客户端已通过身份验证

它如何在IE11/Edge中工作:

How does it work in IE11/Edge:

• 具有登录表单的客户端加载页面-他的会话ID为AAA
• 客户端发送表单-请求的会话ID为AAA
• 客户端正在通过身份验证-session_regenerate_id(true)已调用
• 响应具有Set-cookie和会话ID BBB(+位置:YYY)
• 浏览器以会话ID AAA
向YYY发送请求
• 响应没有set-cookie，因此会话ID为 AAA
• 客户端未通过未通过认证

• client load page with login form - he has session id AAA
• client sends the form - the request has session id AAA
• client is being authenticated - session_regenerate_id(true) called
• response has Set-cookie and session id BBB (+Location: YYY)
• browser makes request to YYY with session id AAA
• response doesn't have set-cookie, so session id is AAA
• client is NOT authenticated

问题是，重新生成会话ID时会删除会话AAA，因此无法对客户端进行身份验证.

Problem is, that the session AAA is removed when regenerating session id, so the client can't be authenticated.

当没有Location标头时，它甚至不起作用，仅显示静态页面以及指向其他页面的链接.

It even doesn't work when there is no Location header and just shows static page with link to other page.

看起来像浏览器正在忽略Set-cookie.

It looks, like the browser is ignoring Set-cookie.

当我删除session_regenerate_id()时，它起作用"，但它的安全性较低.

When I remove session_regenerate_id(), it "works", bud it's less secure.

推荐答案

我自己回答了我的问题... 问题是Set-cookie标头不包含域.

I answer my question myself... The problem is, that Set-cookie header doesnt contain domain.

示例:www.site.com

Example: www.site.com

Chrome:可以正常运行，可以从当前网址(www.site.com)获取域 边缘:不知道如何，但是新的会话ID保存到域site.com

Chrome: works ok, gets domain from current url (www.site.com) Edge: don't know how, but new session id saves to domain site.com

解决方案:使用session_set_cookie_params()将域设置为".site.com"(所有子域).

Solution: use session_set_cookie_params() to set domain to ".site.com" (all subdomains).

这篇关于session_regenerate_id()在IE11/Edge中不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！