当使用/action1/action2而不是?action1 =& action2 =时,Session_start无法读取会话 [英] Session_start fails to read session when /action1/action2 rather than ?action1=&action2= is used
问题描述
我正在使用PHP7通过我最喜欢的控制方法(URL路径)开始会话.这曾经可以[我做的方式]起作用,但是在PHP7中不起作用.让我们从一个完全正常的hello world示例开始.
I'm using PHP7 to start sessions using my favorite control method: URL paths. This used to work [the way I'm doing it] but doesn't work in PHP7. Let's start with a completely normal hello world example.
<?php
session_start();
if(TRUE){
$_SESSION['test'] = 'Hello World!';
}
print_r($_SESSION);
echo "<P>".session_id();
首先使用TRUE运行它,此婴儿非常好用.将其设置为FALSE,您将得到期望的结果.一遍又一遍地运行它,您将获得相同的预期结果.我什至可以访问会话文件,然后查看变量是否已保存.
Run it first with TRUE and this baby works perfectly. Set it to FALSE and you get what you expect. Run it over and over and you get the same, expected result. I can even visit the session file and see that the variables were saved.
现在,我喜欢使用域路径控制代码.例如example.com/action1/action2.在我的.htaccess文件中,Action1被标识为PHP类型文件,而我的doc_root具有符号链接,即action1-> index.php.请注意,此方法在所有方面都可以正常工作,但一种方法...将这些路径添加到URI时,会话将停止读取变量.
Now, I'm a fan of controlling my code using domain paths. E.G., example.com/action1/action2. Action1 is identified in my .htaccess file as a PHP type file and my doc_root has a symbolic link, action1 -> index.php. Please note, this works fine in every way but one... the moment you add those paths to the URI, the session stops reading the variables.
您能帮我理解为什么吗?是的,这个问题的明显解决方案是:这样做会很痛,我该怎么办?"是不要那样做".但是就像我说的,我是粉丝.坦白说,这应该可行.唯一的cookie是正确的. session_id()报告我正在查看相同的会话ID和文件.充满数据的会话ID完全相同.删除/action1/action2组件,然后再次显示$ _SESSION变量,就像我们期望的那样.
Can you help me understand why? Yes, the obvious solution to the question, "it hurts when I do this, what should I do?" is "don't do that." But like I said, I'm a fan. Frankly, this should work. The one and only cookie is correct. session_id() reports that I am looking at the same session ID and file. The very same session ID that is filled with data. Remove the /action1/action2 component and the $_SESSION variables show up again, just as we'd expect.
有人知道为什么会这样吗?添加禁用会话的路径有什么用?只要有预期的会话ID,PHP为什么还要关心它?我什至尝试file_get_contents()会话文件,以便可以session_decode()内容.没有动作路径,我可以读取和处理文件.使用动作路径(请打鼓……),我什至无法读取文件.好像所有权发生了某种变化,但是我对文件和目录的权限是完全开放的.有什么想法吗?
Does anyone know why this happens? What is it about adding the path that disables the session? Why would PHP even care so long as it has the expected session id? I even tried to file_get_contents() the session file so I could session_decode() the contents. Without the action path, I can read and process the file. With the action path (drum roll please...) I can't even read the file. It's as if some kind of ownership change has occured, but I have the file and directory permissions wide open. Any ideas?
.htaccess:
RewriteEngine On
RewriteBase /
AddHandler application/x-httpd-php70 .php
<Files action1>
SetHandler application/x-httpd-php
</Files>
如果您想自己测试一下.将第一个文件保存到test.php,然后如图所示更新您的.htaccess文件.最后,ln -s test.php action1.运行domain.com/test.php自己证明会话正在运行.然后运行domain.com/action1并观察变量消失.
If you want to test this yourself. Save the first file to test.php, then update your .htaccess file as shown. Finally, ln -s test.php action1. Run domain.com/test.php to prove to yourself the sessions are working. Then run domain.com/action1 and watch the variables disappear.
推荐答案
事实证明,@ hakre在正确的路径上,但是更改并不能解决问题.问题在于,Plesk直接分配* .php文件以通过php_fpm处理.在虚拟主机Apache配置文件中,我们有...
As it turns out, @hakre was on the right path, but the change didn't solve the problem. The problem is that Plesk directly assigns *.php files to be processed through php_fpm. In the Virtual Host Apache configuration file we have...
<Files ~ (\.php$)>
SetHandler proxy:unix:///var/www/vhosts/system/wwphelps.com/php-fpm.sock|fcgi://127.0.0.1:9000
</Files>
这是Plesk通过域名专门将一个版本的PHP附加到另一个版本的方式. Apache的全局规则解释了所有不属于该规则的内容,对我来说,这是另一种安装PHP的规则. (为什么Plesk没有全局覆盖来指向他们自己的PHP安装有点奇怪,但是我怀疑这是他们以前从未遇到过的错误.)因此,从逻辑上讲,我们只需要添加即可我们要处理的每个文件都没有.php后缀...
This is how Plesk is specifically attaching one version of PHP over another by domain name. And anything that doesn't fall into this rule is interpreted by Apache's global rules, which for me are looking at a different install of PHP. (Why Plesk doesn't have a global override to point at their own PHP installs is a bit of a wonder, but I suspect this is a bug they've never encountered before.) So, logically, we'd need only add for each file we want to process without the .php suffix...
<Files action1>
SetHandler proxy:unix:///var/www/vhosts/system/wwphelps.com/php-fpm.sock|fcgi://127.0.0.1:9000
</Files>
您确实需要执行此操作,但是对我而言,它并没有像宣传的那样起作用.我的网页上只说"Access Denied"(访问被拒绝),我的错误文件使我注意到FPM的security.limit_extensions参数.换句话说,尽管明确标识了我想在没有后缀的情况下使用的文件,但FPM还是拒绝了该文件.这是我懒惰的地方.我将变量重置为空.在Plesk中,可以通过在域的conf目录内创建或修改php.ini文件并添加(包括标头(如果尚未存在的话))来完成此操作...
It is true that you need to do this, but for me it didn't work as advertised. My web page simply said "Access Denied" and my error files pointed me to FPM's security.limit_extensions paramter. In other words, despite specifically identifying a file I wanted to use without a suffix, FPM rejected it anyway. Here's where I got lazy. I reset the variable to nothing. In Plesk that's done by creating or modifying a php.ini file inside the domain's conf directory and adding (including the header if it's not already there)...
[php-fpm-pool-settings]
security.limit_extensions =
重新启动Apache,鲍勃是你的叔叔.
Restart Apache and Bob's your uncle.
根据Google的快速搜索,从Plesk内部直接修改FPM参数的能力仍有待争论.
According to a really rapid Google search, the ability to directly modify FPM parameters from inside Plesk is still up for debate.
现在,这是有代价的.从FPM套接字的角度来看,突然,您在Web根目录中的任何文件都可以作为PHP文件执行,包括客户上传的图像,而您盲目地将其放置在[ROOT]/images目录中.除非您另行告诉Apache,否则任何事实都不会对您有所保留,否则任何旧文件都不会被解释为PHP文件.但是,如果您对通过网站上传的所有文件进行了(a)彻底的审核,以确保它们符合要求,并且(b)保存在Web根目录之外或数据库中,从而没有人受到保护,那么您会得到更好的保护.可以通过直接引用它们来执行"它们.
Now, this comes with a price. From the perspective of the FPM socket, suddenly any file in you're web root "could" be executed as a PHP file, including images customers upload and you blindly put in your [ROOT]/images directory. You're partially saved by the fact that unless you've told Apache otherwise, just any old file won't be interpreted as a PHP file. However, you'd be better protected if all files you upload through your site are (a) thoroughly vetted to be sure they are what they claim to be and (b) are either saved outside the web root or in a DB so that nobody can "execute" them by referring to them directly.
最后,应该有一种方法可以在配置文件中覆盖那些我有意违反security.limit_extensions的文件.不幸的是,FPM和Apache似乎无法互相通信,否则使用该块将完全覆盖security.limit_extensions.就我所知,有一种方法可以做到.我很想知道,但是我有一个可行的解决方案,因此我可以重新工作.
Finally, there ought to be a way to override in a config file those files that I want to intentionally violate security.limit_extensions. Unfortunately, FPM and Apache don't appear to talk to each other, otherwise the use of the block would completely override security.limit_extensions. For all I know there's a way to do it. I'd be curious to know, but I have a working solution, so I'm back to work.
这篇关于当使用/action1/action2而不是?action1 =& action2 =时,Session_start无法读取会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
