PHP 会话运行良好,但有些问题困扰着我…… [英] PHP sessions working very well, but something's bugging me…
问题描述
我一直在使用 PHP 会话,一切正常,它完全符合我的需要.
I've been working with PHP sessions, and everything is working fine it does exactly what I need.
然后我开始进一步研究潜在的安全问题并发现:
Then I started to look into potential security issues further and found this:
http://phpsec.org/projects/guide/4.html
请注意,所有用于确定现有会话或新会话状态"的是:
Notice that all that was being used was to determine existing session or new session 'status' is:
session_start();
...然而我以前见过很多次这样的事情:
...and yet I have seen this sort of thing many times before:
<?php
if (isset($PHPSESSID))
{
session_start($PHPSESSID);
}else{
session_start();
};
?>
我曾假设这将允许在第二次调用时进行一些其他处理,或者它的逻辑允许会话以相同的会话 ID 重新启动,例如用于不同的页面.
I had assumed that this would allow some other processing on second call or that it's logic allowed the session to restart with the same session ID for a different page for example.
然而,我已经认为普通的 session_start() 已经有逻辑来确定会话是否已在其他地方建立,因为它知道"保留现有会话 ID 而不是发布新会话 ID,除非它当然需要!
However I already thought that the plain session_start() already had logic to determine if a session had been established elsewhere because it 'knows' to retain an existing session ID rather than issuing a new one, unless it needs to of course!
所以我测试了上面的内容,但我根本无法让它工作.
So I tested the above and I couldn't get it to work at all.
<?php
if (isset($PHPSESSID))
{
$oldsession = "On";
$newsession = "Off";
session_start($PHPSESSID);
}
else
{
session_start();
$newsession = "On";
$PHPSESSID = session_id( );
};
echo 'ClientSessionID : '.$PHPSESSID.'<br>';
echo 'Refreshed Session : '.$oldsession.'<br>';
echo 'New Session : '.$newsession.'<br>';
?>
要么我遗漏了什么,要么这段代码永远无法工作.即使会话被保留,$oldsession 也永远不会被回显.我得出的结论是 $PHPSESSID 上的测试永远不会奏效.
Either I'm missing something or this code could never have worked. The $oldsession NEVER gets echo'ed even though the session is retained. I conclude that the test on $PHPSESSID never works.
所以我的问题是:假设示例测试代码在语法上是正确的,在调用 session_start() 之前尝试预先确定会话状态"是否合理?如果是这样,你会怎么做?
So my question is: Assuming the sample test code is syntactically correct, is it even plausible to attempt to pre-determine the session 'status' BEFORE calling session_start() ? And if so how would you go about it?
正如文章继续展示的那样,在会话开始后使用(假设的)结果会话变量是向不同方向发送代码的唯一方法,所以我认为这实际上是唯一的方法
As the article goes on to show, using the (assumed) resulting session variables after a session has started is the only way to send the code in a different direction, so I'm thinking this is actually the only way to do it.
推荐答案
看起来这篇文章是 2005 年初写的,所以也许这篇文章是假设 register_globals 设置已打开.在 PHP4 早期,它默认开启,但在 PHP5 中默认禁用.
It looks like the article was written in early 2005, so perhaps the article was assuming that the register_globals setting was turned on. Earlier in PHP4, it was on by default, but it has been disabled by default in PHP5.
要使您的代码正常工作,您需要明确使用 $_GET['PHPSESSID'] 或 $_COOKIE['PHPSESSID'],因为全局变量$PHPSESSID 可能由于 register_globals 被禁用而未设置.
For your code to work, you'd need to explicitly use $_GET['PHPSESSID'] or $_COOKIE['PHPSESSID'], since the global variable $PHPSESSID is probably not set due to register_globals being disabled.
另外,请注意会话名称并不总是PHPSESSID".这是默认设置,但可以在 会话中更改.name 服务器设置 或在运行时使用 在代码中更改session_name().
Also, note that the session name won't always be "PHPSESSID." That's default, but it can be changed in the session.name server setting or changed in the code at runtime with session_name().
这篇关于PHP 会话运行良好,但有些问题困扰着我……的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
