安全灵活的跨域会话 [英] Secure and Flexible Cross-Domain Sessions

问题描述

我遇到了一个问题，希望您能帮忙解决.假设我在一家名为Blammo"的假设公司工作，我们有一个名为Log"的假设产品.我正在尝试建立一个系统，让人们可以登录 logfromblammo.com 并订购我们的一些产品，然后当他们准备购买时转到 checkout.blammo.com 以支付他们的订单.最终，我想让 Blammo 推出一个新的假设产品，它有自己的网站:rockfromblammo.com，并使该网站也能够与 checkout.blammo.com 共享会话，以便用户可以在这两种产品中拥有一个购物车网站.

I am having an issue that I hope you can help with. Let's say I work for a hypothetical company called "Blammo", and we have a hypothetical product called "Log". I am trying to set up a system where someone could log in to logfromblammo.com and order some of our products, and then when they are ready to purchase go to checkout.blammo.com to pay for their order. Eventually I want to allow for Blammo to launch a new hypothetical product with it's own website: rockfromblammo.com, and have that site also able to share a session with checkout.blammo.com so that users can have a single shopping cart across both product websites.

自然，上面描述的假设场景不是我公司的实际运作方式，但它是我需要做的事情的一个很好的例子.我们有一个现有的用户数据库，我们有办法在我们的任何站点上对我们的任何用户进行身份验证，但我的目标是允许用户从一个站点无缝切换到另一个站点，而无需重新进行身份验证.这也让我们能够将购物车等数据无缝传输到结账网站.

Naturally the hypothetical scenario described above is not how my company actually works, but it is a fair example of what I need to do. We have an existing user database, and we have ways to authenticate any of our users on any of our sites, but the goal I have is to allow users to cross seamlessly from one site to another without having to re-authenticate. This would also allow for us to seamlessly transfer data such as a shopping cart to the checkout site.

我曾(简要地)研究过 OpenID 等解决方案，但我需要能够将我们拥有的任何解决方案与我们现有的身份验证方法集成，这种方法并不是非常可靠.有没有什么好方法可以单独通过 PHP 做到这一点?

I have (briefly) looked at solutions such as OpenID, but I need to be able to integrate whatever solution we have with our existing authentication method, which is not terribly robust. Is there any good way to do this through PHP alone?

推荐答案

您可以做的是在站点之间创建交叉"链接以进行会话.

What you could do is create "cross-over" links between the sites to carry the session over.

最简单的方法是通过查询字符串传递会话ID；例如

The simplest way is to pass the session id via the query string; e.g.

http://whateverblammo.com/?sessid=XXYYZZ

在您开始认为任何人都可以捕获该信息之前，请考虑您的 cookie 是如何传输的；假设您没有使用 SSL，那么对于使用网络的人来说没有太大区别.

Before you start thinking that anyone can trap that information, think about how your cookies are transferred; assuming you're not using SSL, there's not much difference for someone who taps the network.

这并不意味着它是安全的；一方面，用户可能会不小心复制/粘贴地址栏，从而泄露他们的会话.为了限制这种暴露，您可以在收到会话 ID 后立即重定向到没有会话 ID 的页面.

That doesn't mean it's safe; for one, users could accidentally copy/paste the address bar and thus leaking out their session. To limit this exposure, you could immediately redirect to a page without the session id after receiving it.

请注意，在会话 ID 上使用 mcrypt() 不会有太大帮助，因为问题不是值的可见性；会话劫持不关心潜在的价值，只关心它的 url 的可重复性.

Note that using mcrypt() on the session id won't help much, because it's not the visibility of the value that's the problem; session hijacking doesn't care about the underlying value, only its reproducibility of the url.

您必须确保该 id 只能使用一次；这可以通过创建一个跟踪使用计数的会话变量来完成:

You have to make sure the id can be used only once; this can be done by creating a session variable that keeps track of the use count:

$_SESSION['extids'] = array();

$ext = md5(uniqid(mt_rand(), true)); // just a semi random diddy
$_SESSION['extids'][$ext] = 1;

$link = 'http://othersite/?' . http_build_query('sessid' => session_id() . '-' . $ext);

收到时:

list($sid, $ext) = explode('-', $_GET['sessid']);
session_id($sid);
session_start();
if (isset($_SESSION['extids'][$ext])) {
    // okay, make sure it can't be used again
    unset($_SESSION['extids'][$ext]);
}

您每次跨越边界时都需要这些链接，因为会话可能自上次以来已经重新生成.

You need these links every time a boundary is crossed, because the session may have gotten regenerated since the last time.

这篇关于安全灵活的跨域会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！