session_id()没有获取会话变量 [英] session_id() not getting session variables
问题描述
我在两个不同的Web服务器上安装了自制CMS.每个维护相同的代码.当我尝试在不同的域之间传递$_SESSION变量时,我遇到了一个非常烦人的问题.
I have a homebrew CMS installed on two different web servers. Each maintain the same code. I have had a really annoying problem when I try passing $_SESSION variables between different domains.
我的CMS在domain1.com上.它所控制的网站在domain2.com上.我的系统通过URL链接将所有登录信息的会话变量从domain1.com传递到domain2.com(domain1.com具有这样的链接:http://domain2.com?sessionId=1gh...)(sessionId由session_id()生成). domain2.com检索会话ID,并执行session_id($_GET['sessionId'])设置会话并获取变量.然后,它会继续在顶部显示一个具有管理功能的栏.
My CMS is on domain1.com. The website it is controlling is on domain2.com. My system passes all the session variables for the login information from domain1.com to domain2.com via a url link (domain1.com has a link like this: http://domain2.com?sessionId=1gh...)(sessionId is generated by session_id()). domain2.com retrieves the session id and does session_id($_GET['sessionId']) to set the session and grab the variables. It then proceeds to show a bar at the top with admin features.
此系统在我的一台主机以及我的本地主机上都运行良好.但是我最近转移到另一台主机,并使用相同的代码成功安装了CMS.除此功能外,一切正常.当我单击链接并尝试设置session_id时,session_id会更改,但是$_SESSION变量会被删除.当我返回到CMS时,我必须重新登录.在此主机上,以某种方式更改session_id会删除$_SESSION变量.
This system works well on one of my hosts, as well as my localhost. But I recently transferred to a different host and installed my CMS with the same code with success. Everything works except for this feature. When I click on the link and try to set the session_id, the session_id changes, but the $_SESSION variables are removed. When I return to my CMS, I have to relogin. Somehow on this host, changing the session_id deletes the $_SESSION variables.
我从不喜欢会话变量,并且如果我要重新开始也不会使用它们(我可能会使用纯cookie).但是我真的需要弄清楚这一点.它工作的主机是Bluehost,两个域都由Bluehost托管.不能使用的主机是 ByteHost,域注册者是Godaddy.
I have never liked session variables and I would not use them if I were to start again (I would probably use plain cookies). But I really need to figure this out. The host that it works on is Bluehost, with both domains hosted by Bluehost. The host that it does not work on is ByteHost, and the domain registrar is Godaddy.
这是domain2.com的一些示例代码:
Here is some example code from domain2.com:
...
if ( $_GET['sessionId'] )
{
session_id($_GET['sessionId']);
}
session_start();
echo session_id(); // returns the proper sessionId passed through the url
print_r($_SESSION); // does not work. returns array()
...
我可以保证$_SESSION变量以前存在,因为我仍然登录到CMS.
I can guarantee that the $_SESSION variables existed before, because I was still logged into my CMS.
有什么想法为什么会话变量可在1个主机上工作,而不能在另一个主机上工作?
Any ideas why session variables work on 1 host, but not on another?
我尝试用工作的主机之一替换php.ini文件.问题仍然存在.
I tried replacing the php.ini file with the working host one. Problem was still there.
谢谢您的时间!
更新
我最终将其从CMS中删除.现在,我只需在url上传递登录详细信息,它就可以登录该人.它的工作原理更加简洁.
I ended up removing this from my CMS. Now, I just pass the login details over the url and it logs the person in. It works a lot cleaner.
推荐答案
以下是一些可能无法正常工作的原因:
Here are some reasons why this may not be working:
- 不同的物理服务器
- 每个域的不同帐户(即使它是同一台物理服务器)
- 域的不同apache/php守护程序(某些共享的托管站点将为每个域创建一个单独的目录,然后限制apache在域之间共享信息.这也具有防止会话信息的传递.请考虑一下-您是否希望同一托管服务提供商上的其他人的域可以访问您客户的会话信息?)
- 配置(Apache或php)或.htaccess规则
- different physical server
- different account for each domain (even if it's the same physical server)
- different apache/php daemon for the domains (some shared hosting sites will create a separate directory for each domain, and then restrict apache from sharing information between domains. This will also have the effect of preventing session information from being passed. Think about it - do you want someone else's domain on the same hosting provider to have access to YOUR client's session info?)
- configuration (apache or php), or .htaccess rules
以下是我的建议:停止这样做.这是修复代码中非常严重的安全漏洞的绝佳机会.到托管服务提供商诊断它时,您可能只需要使用HTML5存储或安全cookie重写所有需要的内容即可.
Here is what I will recommend: stop doing this. This is a great opportunity to fix a very serious security flaw in your code. By the time you diagnose it with the hosting provider, you could probably just rewrite everything you need using HTML5 storage or secure cookies.
我的猜测是,托管服务提供商足够聪明,可以保护会话信息表单从另一个域中窃取.但是无论哪种情况,我强烈都建议您更改代码,以使其无需从其他域中窃取会话信息.
My guess is that the hosting provider is smart enough to protect session information form being stolen from another domain. But in either case, I strongly recommend you change the code so that it does not need to steal session information from another domain.
这篇关于session_id()没有获取会话变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
