在 PHP 中从 HTTP 切换到 HTTPS 时会话丢失 [英] Session lost when switching from HTTP to HTTPS in PHP
问题描述
当将用户发送到结帐页面时,他们会从 http://sitename.com 切换到 https://sitename.com.
When sending the user to a checkout page, they are switched from http://sitename.com to https://sitename.com.
因此,$_SESSION 变量丢失了.
该站点具有有效的 SSL 证书,该证书可能有用也可能没有用.
The site has a valid SSL certificate which may or may not be of some use.
推荐答案
当您在同一台服务器上的 HTTP 和 HTTPS 服务之间切换时,您的 HTTP 会话 ID 不会被传递到 HTTPS 会话.您可以通过以下三种可能的方式之一将会话 ID 从 HTTP 页面传递到 HTTPS 页面来设置它:
When you switch between the HTTP and HTTPS services on the same server, your HTTP session ID is not being passed to the HTTPS session. You can set it by passing the session ID from the HTTP page to the HTTPS page in one of three possible ways:
session_start() 创建一个会话或恢复当前的基于在通过请求传递的当前会话 id 上,例如GET、POST 或 cookie
session_start()creates a session or resumes the current one based on the current session id that's being passed via a request, such as GET, POST, or a cookie
当您使用会话时,您通常会使用 session_start() 启动您的脚本.如果浏览器设置了会话 ID cookie,session_start() 将使用该会话 ID.如果浏览器没有设置会话 ID cookie,session_start() 将创建一个新的.
When you are using sessions, you will normally start your script with session_start(). If the browser has a session ID cookie set, session_start() will use that session ID. If the browser does not have a session ID cookie set, session_start() will create a new one.
如果未设置会话 ID(在您的示例中,浏览器正在为 HTTPS 会话创建新的会话 ID cookie),您可以使用 session_id() 函数设置它.session_id() 还可以方便地将会话 ID 作为字符串返回.所以
If the session ID is not set(in your example, the browser is creating a new session ID cookie for the HTTPS session), you can set it using the session_id() function. session_id() also conveniently returns the session ID as a string. So
...
$currentSessionID = session_id();
...
将 $currentSessionID 变量设置为等于当前会话 ID,并且
sets the $currentSessionID variable equal to the current session ID, and
...
session_id($aSessionID);
...
将浏览器中的 sessionID cookie 设置为 $aSessionID.来自 PHP:session_id
sets the sessionID cookie in the browser to $aSessionID. from PHP: session_id
这是一个包含两个脚本的示例.一个通过 HTTP 访问,另一个通过 HTTPS 访问.它们必须在同一台服务器上才能维护会话数据.
Here's an example with two scripts. One is accessed via HTTP and the other is accessed via HTTPS. They must be on the same server to maintain session data.
脚本 1(HTTP):
<?php
// This script will create a session and display a link to your secure server address
// to transfer your session ID. In this example, the secure page to receive the session
// ID is located at http://www.yoursite.com/safePages/securePage.php
// Start a session using the current session ID stored in a cookie, or create
// a new session if none is set.
session_start();
$currentSessionID = session_id();
// Set a variable that will be retrieved with the HTTPS script.
$_SESSION['testvariable'] = 'It worked';
// $secureServerDomain is the domain of your secure server
$secureServerDomain = 'www.yoursite.com';
// $securePagePath is the path to the page that will receive and set the session ID.
$securePagePath = '/safePages/securePage.php'
echo '<a href="https://' . $secureServerDomain . $securePagePath . '?session="' . $currentSessionID . '">Click here to transfer your session to the secure server</a>';
?>
脚本 2(HTTPS):
<?php
// Retrieve the session ID as passed via the GET method.
$currentSessionID = $_GET['session'];
// Set a cookie for the session ID.
session_id($currentSessionID);
// Start a session.
session_start();
// Test retrieval of variable set when using HTTP.
if (!empty($_SESSION['testvariable'])) {
echo $_SESSION['testvariable'];
} else {
echo 'It did not work.';
}
?>
为此,HTTP 和 HTTPS 服务器必须使用相同的会话数据存储基板(即对于默认文件处理程序,在具有相同 php.ini 的同一台物理机器上运行).这里有一些安全漏洞,所以我不会使用这个代码来传输敏感信息.这只是一个可行的例子.
For this to work the HTTP and HTTPS servers must use the same session data storage substrate (i.e. for the default files handler, run on the same physical machine with the same php.ini). There are some security flaws here, so I would not use this code to transfer sensitive information. It is just meant as a workable example.
我之前遇到这个问题的时候,我想出了上面的作为快速解决方案,但我只是记住了问题的最初原因.我从 http://www.example.com/page.php 到 https://example.com/page.php(注意缺少www").确保 http://www.example.com/page.php 将链接到
When I ran into this problem before, I came up with the above as a quick fix, but I just remembered the original cause of the problem. I was going from http://www.example.com/page.php to https://example.com/page.php (notice the lack of "www"). Make sure that http://www.example.com/page.php will link to https://www.example.com/page.php and http://example.com will link to https://example.com/page.php.
PS,我实际上并没有运行这些脚本,所以可能有一两个错字导致它们无法按原样正常运行.
这篇关于在 PHP 中从 HTTP 切换到 HTTPS 时会话丢失的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
