“安全”参数在session_set_cookie_params中 [英] "secure" parameter in session_set_cookie_params

问题描述

我有兴趣了解有关 参数< > session_set_cookie_params（） 。

I am interested in learning more about the secure parameter of the function session_set_cookie_params().

你能告诉我如何正确使用？如果这个函数在不安全的页面上执行（但是在有SSL的服务器上），它会以某种方式安全地发送它，或者我必须在页面上强制执行SSL，这个函数是从我自己执行的？ p>

Can you tell me how to utilize this properly? If this function is executed on a page that is not secure (but on a server that does have SSL), will it somehow send it securely or do I have to force SSL on the page this function is executed from on my own?

推荐答案

这意味着客户端将只通过安全（HTTPS）连接发送该cookie。这意味着您必须将用户转发到安全的网址才能将Cookie发送到服务器。

It means that the client will only send that cookie through a secure (HTTPS) connection. This means you'll have to forward the user to a secure URL in order for the cookie to get sent to the server.

您可以通过不安全的Cookie设置安全Cookie连接，但你显然不应该（否则cookie的值可能被嗅探）。由于安全Cookie可以通过不安全的连接进行更改，因此您不能相信该Cookie值未被拦截并将不安全HTTP请求的内容更改到您网站的第三方损坏。因此，根据您使用安全Cookie的方式，您可能需要验证其内容。

You can set a secure cookie through an insecure connection, though you obviously should not (otherwise the value of the cookie may be sniffed). Since a secure cookie can be changed by an insecure connection, you cannot trust that the cookie value was not corrupted by a third party that intercepted and changed the contents of an insecure HTTP request to your site. Therefore, depending on how you're using the secure cookie, you may need to validate its contents.

这篇关于“安全”参数在session_set_cookie_params中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！