Symfony2 会话固定是如何工作的? [英] How does Symfony2 session fixation work?
问题描述
根据标准 2.4 文档,security.yml 配置文件允许以下配置选项:
According to the standard 2.4 documentation, the security.yml config file allows for the following configuration option:
session_fixation_strategy: none | migrate | invalidate
来源:http://symfony.com/doc/current/reference/configuration/security.html
但是,我没有在官方文档(或其他地方)中找到有关此选项实际作用或实际工作方式的任何详细信息.
However, I fail to find any details in the official documentation (or elsewhere) on what this option actually does, or how it works in practice.
因此,如果我将此选项设置为迁移"或无效",这将如何影响我系统中的会话处理?例如,如果我将其设置为无效",这是否意味着当用户导航到不同的安全上下文时,上下文本地会话会失效?
So, if I set this option to either "migrate" or "invalidate", how will this affect session handling in my system? For example, if I set it to "invalidate", would this mean that a context-local session is invalidated when the user navigates to a different security context?
推荐答案
简而言之:
- NONE:会话没有改变
- 迁移:更新会话ID,保留属性
- 无效:会话 ID 已更新,属性丢失
详细说明:
无策略:在默认会话实现中没有(应该)做任何事情,因此会话是从一个上下文到另一个上下文维护的.
None strategy: Nothing is (supposed to be) done in the default session implementation, thus the session is maintained from one context to the other.
迁移策略:将当前会话迁移到新的会话 ID,同时维护所有会话属性."(会话存储应该重新生成当前会话.)重新生成代表此存储的 id.此方法必须调用 session_regenerate_id($destroy) ,除非此接口用于为单元或功能测试设计的存储对象,其中真实的 PHP 会话会干扰测试.请注意,regenerate+destroy 不应清除内存中的会话数据,而应仅从持久存储中删除会话数据."因此,会话从一个上下文保留到另一个上下文.
Migrate strategy: "Migrates the current session to a new session id while maintaining all session attributes." (The session storage should regenerate the current session.) "Regenerates id that represents this storage. This method must invoke session_regenerate_id($destroy) unless this interface is used for a storage object designed for unit or functional testing where a real PHP session would interfere with testing. Note regenerate+destroy should not clear the session data in memory only delete the session data from persistent storage." Thus the session is retained from one context to the other.
无效策略:清除所有会话属性并闪烁并重新生成会话并从持久性中删除旧会话."因此,会话从一个上下文重新生成到另一个上下文.
Invalidate strategy: "Clears all session attributes and flashes and regenerates the session and deletes the old session from persistence." Thus the session is regenerated from one context to the other.
你的问题没有透露你试图获取什么样的会话数据.
但无论如何,不会为不同的安全上下文生成单独的会话:http://symfony.com/doc/current/reference/configuration/security.html#firewall-context
It was not revealed by your question what kind of session data you are trying to fetch.
But in any case, no separate session is generated for different security contexts:
http://symfony.com/doc/current/reference/configuration/security.html#firewall-context
安全(身份验证)相关数据存储在单独的密钥下(基于防火墙名称).因此,例如,如果您有名为main"的防火墙,则身份验证令牌将存储在_security_main"下,如果您有名为foo"的防火墙(单独的上下文),则用户和相关令牌数据将存储在'_security_foo'等下
Security (authentication) related data is stored under a separate key (based on the firewall name). So for example if you have a firewall with a name 'main', the authentication token will be stored under '_security_main', if you have a firewall (a separate context) with a name 'foo', the user and related token data will be stored under '_security_foo', etc.
因此,除了 ->getToken ->getUser(等)之外,其余的会话变量将在不同的上下文中可用,前提是您使用无"或迁移"会话策略.
So besides ->getToken ->getUser (etc.) the rest of the session variables will be available in different contexts provided you use the 'none' or the 'migrate' session strategies.
查看会话界面以了解详细信息(引用来自这些文件)vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/SessionInterface.php
Take a look at the session interface for details (quotes are from these files) vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/SessionInterface.php
和默认实现:vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/Session.php
And the default implementation: vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/Session.php
这篇关于Symfony2 会话固定是如何工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
