会话具体是什么?为什么不把IP和域名会话视为一样? [英] Session is specific to what? Why not treat ip and domain name session as same?
问题描述
我使用php会话,当我使用我的网站域名时它工作得很好。要在Windows操作系统上的本地vmvare ubuntu中测试网站,我更改我的Windows主机,使DNS成为本地ip。当测试本地时,我使用域名,它也很好。但是当我将浏览器中的URL更改为Ip时,会话丢失。
你可能会混淆为什么我这样做,因为我也想测试我的Android设备上的页面,因为我无法更改我的Android设备的主机文件没有Android根,所以我必须使用ip。
你也可能会混淆为什么我不会一直使用ip?因为我在我的网络应用程序中使用第三个打开登录。第三个打开的登录桅杆使用域名作为重定向回程url,所以当我囤积时,它将重定向到域名格式的url。
为什么php会话是一样的域名和ip?
要确保php会话与域名和ip不一样?我也尝试过我的管理系统,上面是用户系统。
我也尝试我的管理系统,我可以使用ip登录一路。但是当我将ip更改为URL中的域名时,会话也会丢失。
由于您提到PHP,将包括PHP手册中的信息。
我相信其他语言的行为类似。
在服务器中,会话特定于一个cookie。
从 PHP手册:
会话ID通常通过会话cookie发送到浏览器,ID用于检索现有的会话数据。缺少ID或会话cookie让PHP知道创建一个新的会话,并生成一个新的会话ID。
在用户代理(客户端,通常是浏览器)中,cookie特定于域和路径。
从 RFC6265 ,第4.1.2.3节:
Domain属性指定要发送Cookie的主机。例如,如果Domain属性的值为example.com,那么当向example.com,www.example.com和www.corp.example发出HTTP请求时,用户代理将将Cookie包含在Cookie标头中。 com。
第4.1.2.4节:
只有当请求uri的路径部分与cookie的Path属性匹配(或是子目录)时,用户代理才会将HTTP包含在HTTP请求中,其中%x2F(/)字符被解释为目录分隔符。
所以,如果你从域名来回移动到IP地址,例如 example.com 和 12.34.56.78 ,
a服务器创建的会话cookie example.com 12.34.56.78 发出请求,即使两者都是相同的服务器,code>也不会被用户代理
发回。
随后的请求,因为服务器看不到会话cookie,所以创建一个新的会话并发送一个新的cookie。
这就是为什么使用域名和IP地址将使用单独的会话。
如果您在使用域名和IP地址时需要使用相同的会话,您必须在请求之间保留会话ID。
通常的方法是传递查询字符串中的会话ID。
PHP会话管理其实也可以配置为使用这种方法,但是我从来不需要使用它,所以我不能告诉你会怎么去。
继续我的例子,您可以将其用于后续请求:
http://12.34.56.78/?sessionId = abcdef0123456789
其中 abcdef0123456789 是一个示例会话ID。
在PHP代码中,在调用 session_start()之前设置会话ID。
示例代码:
if(isset($ _ GET ['sessionId']))
session_id $ _GET [ '的sessionId']);
@session_start();
当然,您不必使用 sessionId 。
您可以使用 foobar 或其他任何内容。
您还可以每天甚至每小时更改一次,以防止会话劫持。
更新:要使用 foobar ,将PHP代码修改为:
if(isset($ _ GET ['foobar' ]))
session_id($ _ GET ['foobar']);
@session_start();
使用该代码,您可以传递会话ID:
http://12.34.56.78/?foobar=abcdef0123456789
如果要使用 xyz ,PHP代码将是:
if(isset($ _ GET ['xyz']))
session_id($ _ GET ['xyz']);
@session_start();
您可以传递会话ID:
http://12.34.56.78/?xyz=abcdef0123456789
关键是,这取决于你。
I want to know session is specific with what? This is not restrict to one language. Bellow is just use php as an example.
I use php session, it works well when I use the my website domain name. To test the website in my local vmvare ubuntu on the windows OS, I change the hosts of my windows to make the DNS to my local ip. When testing local, I use domain name, it also works well. But when I change the url in the browser to Ip, the session is lost.
You may confuse why I do this, because I want to also test the page on my android device, for I cannot change my android device's hosts file without android root, so I have to use ip.
You may also confuse why I not use the ip all the way? Because I use a third open login in my web app. The third open login mast use the domain name as the redirectback url, so when I loged in, it will redirect to the url in the domain name format.
Why the php session is the same when the domain name and the ip?
To make sure php session is not the same with domain name and ip? I also tryed my admin system, upper is user system.
I also try my administration system, I can use ip to login all the way. But when I change ip to the domain name in the url, the session also lose.
Since you mention PHP, I'll include information from PHP manual. I believe other languages behave similarly.
In the server, a session is specific to a cookie. From PHP manual:
Session IDs are normally sent to the browser via session cookies and the ID is used to retrieve existing session data. The absence of an ID or session cookie lets PHP know to create a new session, and generate a new session ID.
In the user agent (the client, usually a browser), a cookie is specific to a domain and path. From RFC6265, section 4.1.2.3:
The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com.
Section 4.1.2.4:
The user agent will include the cookie in an HTTP request only if the path portion of the request-uri matches (or is a subdirectory of) the cookie’s Path attribute, where the %x2F ("/") character is interpreted as a directory separator.
So, if you move back and forth from domain name to IP address, for instance, example.com and 12.34.56.78,
a session cookie created by the server for example.com will not be sent back by the user agent
if you later make a request to 12.34.56.78, even if both are the same server.
With the later request, because the server sees no session cookie, a new session is created and a new cookie is sent.
That's why using both domain name and IP address will use separate sessions.
If you need to use the same session when using both domain name and IP address, you have to preserve the session ID between requests. A common method is to pass the session ID in the query string. PHP session management, in fact, can also be configured to use this method but I never need to use it, so I can't tell you how that's gonna go.
Continuing my example, you can use this for subsequent requests:
http://12.34.56.78/?sessionId=abcdef0123456789
Where abcdef0123456789 is an example session ID.
In the PHP code, set the session ID before calling session_start().
Example code:
if(isset($_GET['sessionId']))
session_id($_GET['sessionId']);
@session_start();
Of course, you don't have to use sessionId.
You can use foobar or anything else.
You can also change it daily or even hourly to prevent session hijacking.
Update: To use foobar, modify the PHP code to this:
if(isset($_GET['foobar']))
session_id($_GET['foobar']);
@session_start();
With that code, you can pass the session ID like this:
http://12.34.56.78/?foobar=abcdef0123456789
If you want to use xyz, the PHP code would be:
if(isset($_GET['xyz']))
session_id($_GET['xyz']);
@session_start();
You can pass the session ID like this:
http://12.34.56.78/?xyz=abcdef0123456789
The point is, it is really up to you.
这篇关于会话具体是什么?为什么不把IP和域名会话视为一样?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
