iframe中的持久session_id [英] Persistent session_id inside an iframe
问题描述
我有一个php系统,可以很好地独立运行,但不能嵌入到iframe中.
它嵌入在另一个域的页面中.并且由以下内容组成:
main.php从iframe-URL抓取一个参数,在MySQL中查找,设置会话变量并绘制网格.
然后,使用ajax尝试获取要显示在网格中的数据.
-但是ajax.php没有相同的session_id()?!?
并且在随后的ajax数据调用(以更新网格)中,session_id()一直在变化!
I have a php system that works fine stand-alone but not when embedded in an iframe.
It's embedded in a page on another domain.. and consists of:
main.php graps a parameter off iframe-URL, look up in MySQL, sets a session variable and draws a grid.
Then, using ajax, tries to get data to display in the grid.
- but the ajax.php doesn't have the same session_id() ?!?
AND in subsequent ajax-calls for data (to update the grid) the session_id() keeps changing!
回顾一下:我所有的PHP都在同一个iframe中-没有XS麻烦..
在所有正确的位置都有一个session_start()(它可以独立运行).
session_save_path()在main.php和ajax.php中是相同的(并且它们在同一个目录中)
我已经看过并尝试了不同版本的header('P3P:CP ="CAO PSA OUR"')-毫无结果:(
To recap: ALL my PHP is inside the SAME iframe - no XS trouble..?
There IS a session_start() in all the right places (it works stand-alone).
The session_save_path() is the same in main.php and ajax.php (and they're in the same dir)
I've seen and tried different versions of header('P3P: CP="CAO PSA OUR"') - fruitlessly : (
发现它:我的浏览器不允许第三方Cookies-包括会话cookie!
但这不是错吗-没有Cookie跨域共享(保留在iframe中)吗?
-仍然..它是另一个域,而不是用户在URL中要求的域...嗯...狗屎.
Found it: My browser didn't allow Third Party Cookies - including the session-cookie!
But isn't this wrong - no cookies are being shared across domains (it stays inside the iframe) ?
- still.. it IS another domain than the one the user asked for in the URL... hmm... shit.
推荐答案
如上所述,问题在于浏览器阻止(不允许)第三方Cookie.
(也就是说,忽略不是在主(可见)URL后面从服务器发出的cookie)
As mentioned, the problem was the browser blocking (not allowing) Third Party Cookies.
(That is, ignoring cookies not issued from the server behind the main (visible) URL)
有一种方法可以绕过此安全功能:google"P3P"
-但这在所有浏览器(Chrome)中都不可靠.
There exists a way to circumvent this security-feature: google "P3P"
- but that's not reliable across browsers (Chrome).
我的解决方案是将session_id保留在javascript中,并将其作为附加参数附加到所有ajax调用中,
使我能够在ajax.php中选择相关的会话:session_id($ _POST ['sessID']);session_start();
My solution is to keep the session_id in javascript, and append it as an extra parameter in all ajax-calls,
enabling me to pick the relevant session in ajax.php: session_id( $_POST['sessID'] ); session_start( );
此解决方案确实使恶意用户更容易使用session_id.
-由于现在仅使用javascript即可使用(用于修改)(比修改cookie更容易)...
This solution does make it somewhat easier for a malicious user to dick around with the session_id.
- since it's now available (for modification) using javascript alone (easier than modifying a cookie)...
我想听听人们对这种漏洞增加"的想法吗?
I would like to hear peoples thoughts about this "increased vulnerability" ?
这篇关于iframe中的持久session_id的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
