更改页面时，代码段会话在IE 10中被销毁 [英] Codeigniter sessions being destroyed in IE 10 when changing pages

问题描述

这可能听起来很直，但我找不到解决方案。我使用最新版本的CI构建一个网站框架。我使用会话存储访问信息，以允许用户访问某些页面。这工作很好在firefox，chrome，safari和版本IE 9及以下。但是，对于IE10，当我在框架中更改页面时，会话将自动取消设置。例如，我在一个仪表板，我点击一个链接带我到localhost / sitename / admin / settings，IE10破坏所有会话信息，因此，我被注销并重定向到登录页面。我尝试将sess_cookie_name更改为cisessions（我在其他答案中看到过这个），但是没有效果。

有任何人遇到这个问题，解决方案？

提前感谢。

编辑：

应该等待发布：）

更多挖掘后找到解决方案，

  $ config ['sess_cookie_name'] ='cisession'; 
 $ config ['sess_match_useragent'] = FALSE; 
  

然后，新的问题是sess_match_useragent对CI安全目的绝对重要，或者它可以保持关闭所有浏览器

解决方案

这是一个难以客观，完全回答的问题，因为有许多因素在起作用。
$ b

将用户代理作为会话验证的一部分包括在内是有用的，因为它减少了会话劫持的可能性。但是，请考虑这样：

1. 可以使用 sess_match_ip 匹配或超过 sess_match_useragent 从安全角度的有效性？通过匹配IP，攻击者将需要合法使用相同的IP，或尝试和欺骗它访问您的服务器。可以非常容易地欺骗用户代理验证，IP欺骗显着更加困难，并且可能需要用户的网络被有效地（例如，相同网络上的另一个人，本地网络或甚至在同一计算机上）。 / p>




2. 您是否使用SSL加密来安全传输资料？如果不是，是否可以想象一个中间人攻击会使您的应用程序可利用，无论用户代理检查？由于客户端将在没有加密形式的情况下与服务器进行通信，因此可以对整个HTTP请求进行采集，操纵和重放。




3. 在处理安全性时，您真的需要不同浏览器的不同服务器端行为吗？虽然它现在可能似乎微不足道，完全可以想象，这种问题可能会影响未来的版本的其他浏览器（或在未来的修订版本的IE，以修复）。

考虑到这一点，我的个人意见是完全离开适用于所有浏览器。 Internet Explorer仍然代表了浏览器市场中相当大的份额，并且缺少每个浏览器修复的写作，似乎不值得实现。考虑到更基本的利用和IP匹配的可用性，安全优势相对较小，这是特别真实的。

This may sound straight forward, but I couldn't find a solution to it. I am using the latest version of CI to build a website framework. I am using sessions to store access information for allowing users to access certain pages. This works just fine in firefox, chrome, safari and versions IE 9 and below. However, with IE10, the sessions are being unset automatically when I change pages within the framework. So for instance I'm on a dashboard and I click a link to take me to localhost/sitename/admin/settings, IE10 destroys all session information and thus I am getting logged out and redirected to the login page. I tried changing sess_cookie_name to cisessions (I've seen this in other answers) but that had no effect.

Has anyone else come across this issue, or know of a working solution?

Thanks in advance.

EDIT:

Should have waited to post this :)

Found solution after more digging,

$config['sess_cookie_name']  = 'cisession';
$config['sess_match_useragent'] = FALSE;

New question then, is sess_match_useragent absolutely important for CI security purposes, or can it remain off for all browsers?

解决方案

This is a difficult question to answer objectively and completely as there are many factors at play.

The inclusion of the user agent as part of session verification is useful because it reduces the likelihood of session hijacking. However, consider this:

1. Can using sess_match_ip match or exceed sess_match_useragent effectiveness from a security perspective? By matching the IP, an attacker would be required to legitimately use the same IP, or try and spoof it when accessing your server. User agent verification can be spoofed very easily, IP spoofing is significantly more difficult and would likely require the user's network to be comprimised to be effective (e.g., another individual on the same network, local network, or even on the same computer).

2. Are you using SSL encryption to securely transmit data? If not, is it conceivable a middleman attack would render your application exploitable regardless of user agent checking? Since the client will be communicating with the server with no form of encryption, entire HTTP requests can be plucked, manipulated and replayed. This is made more difficult if you enable IP checking.

3. Do you really want different server-side behaviour for different browsers when dealing with security? While it may seem insignificant now, it is entirely conceivable that this kind of problem may affect future releases of other browsers too (or be reverted in future revisions of IE, to "fix" it). Is engineering a solution worth your time?

With this in mind, my personal opinion would be to leave it off entirely for all browsers. Internet Explorer still represents a sizable share of the browser market, and short of writing in a per-browser fix, it does not seem worth implementing. This is particularly true given the security benefits are relatively small in light of more fundamental exploits and the availability of IP matching.

这篇关于更改页面时，代码段会话在IE 10中被销毁的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！