PHP会话HTTP到HTTPS问题 [英] PHP session HTTP to HTTPS problem
问题描述
我有一个(HTTPS)login.php页面,它仍然是HTTPS(即用户登录后转到帐户信息中心)。现在问题是用户登录到安全仪表板时点击了非敏感页面(HTTP)about-us.php页面,会话不通过HTTP传输,因为我有session.cookie_secure = 1,这意味着用户似乎在HTTP页面上注销。
I have a (HTTPS) login.php page which remains HTTPS (ie once user logged in goes to account dashboard). Now the problem is say the user whilst logged on to the secure dashboard clicks onto a non-sensitive page like (HTTP) about-us.php page, the session is not transmitted over HTTP as I have session.cookie_secure=1, meaning the user appears logged out on HTTP pages.
然而,当用户返回仪表板页面或任何敏感帐户页面时,我被告知他仍然应该登录(即从HTTP返回到HTTPS)?但事实并非如此,他似乎也登录了HTTPS连接?
However when the user goes back to dashboard page or any sensitive account page I have been told he should still be logged in (ie from HTTP back to HTTPS)? However this is not the case and he appears logged out on the HTTPS connection too?
我相信我错过了造成这个问题的事情。这是我的代码:
I believe I am missing something which is causing this problem. Here is my code:
这是PHP头文件,在login.php页面上调用它来启动会话:
This is PHP header file which is called to start session on login.php page:
session_start();
session_regenerate_id(true); /*avoid session fixation attempt*/
/*Create and check how long session has been started (over 5 mins) regenerate id - avoid session hijack*/
if(!isset($_SESSION['CREATED']))
{
$_SESSION['CREATED'] = time();/*time created session, ie from login/contact advertiser/email_confirm only ways for new session to start*/
}
elseif(time() - $_SESSION['CREATED'] > 300)
{
/*session started more than 5 mins(300 secs) ago*/
session_regenerate_id(true); /*change session ID for the current session and invalidate old session ID*/
$_SESSION['CREATED'] = time(); /*update creation time*/
}
/*Check if user is logged in*/
if(!isset($_SESSION['loggedin']))
{
$_SESSION['loggedin']=1;/*used to track if user is logged in on pages*/
}
/*if return false browser supports standard ob_start();*/
if(ob_start("ob_gzhandler")){ob_start();}
这是每个页面上都需要的PHP头文件,用于检查会话是否已启动:
This is PHP header file required on every page to check if session initiated already:
session_start();
$session_errors=0;/* if>0 user not logged in*/
/*check if session is already initiated*/
if(isset($_SESSION['CREATED']))
{
if(time() - $_SESSION['CREATED'] > 300)
{
/*session started more than 5 mins(300 secs) ago*/
session_regenerate_id(true); /*change session ID for the current session and invalidate old session ID*/
$_SESSION['CREATED'] = time(); /*update creation time*/
}
}
elseif(!isset($_SESSION['CREATED'])){$session_errors++;}/*user not logged in*/
/*Check if user is logged in*/
if(!isset($_SESSION['loggedin'])){$session_errors++;}/*user not logged in*/
if(ob_start("ob_gzhandler")){ob_start();}
如果有任何用途,这是在非敏感网页上转换HTTPS的代码,例如about-us.php
Also if any use this is the code to turn HTTPS of on non-sensitive pages such as about-us.php
if ($_SERVER['SERVER_PORT']!=80)
{
$url = "http://". $_SERVER['SERVER_NAME'] . ":80".$_SERVER['REQUEST_URI'];
header("Location: $url");
}
我的php.ini文件cookie设置
My php.ini file cookie settings
session.cookie_secure=1
session.cookie_httponly=1
session.use_only_cookies=1
session.cookie_lifetime = 0
session.save_path = /tmp
session.save_handler = files
推荐答案
回答帮助可能偶然发现此事的人
作为在PHP中从HTTP切换到HTTPS时丢失的会话已经结束,因为您正在使用 session.cookie_secure = 1 当连接从HTTPS切换到HTTP时,不会传输包含会话ID的cookie。在HTTP连接时,当您 session_start()时,PHP会创建一个新的会话ID,它会替换先前的会话ID。
As the the answer at Session lost when switching from HTTP to HTTPS in PHP has concluded, since you are using session.cookie_secure = 1 the cookie that contains the session ID is not transferred when the connection switches from HTTPS to HTTP. At HTTP connection, when you session_start(), PHP creates a new session id, which replaces the previous session id.
答案还提出了一个解决方案,使用查询字符串传递会话ID,然后由页面选取。这有点不好的安全漏洞。不要忘记我们首先使用HTTPS的原因!
The answer also suggests a solution, pass the session id using query string, which is then picked up by the page. This smells of bad of security flaw. Don't forget the reason why we used HTTPS in the first place!
所以我建议您解决的问题是将所有http请求重定向到https对应项。对您网站中的所有内容使用HTTPS,从css,图像到平凡的静态html页面。实际上,每个应用程序都认真对待安全性。例如,使用HTTP访问github页面将返回:
So the solution I suggest to you is that you redirect all http request to https counterparts. Use HTTPS for everything in your site, from css, images, to mundane static html pages. This is actually something that every application that is serious about security does. For example, visiting github page using HTTP will return:
HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.67
Date: Sun, 08 May 2011 15:43:01 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: https://github.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.7.67</center>
</body>
</html>
请记住为什么你首先使用HTTPS,如果你想要完全安全,请使用HTTPS一切。
Remember why you used HTTPS in the first place, if you want to be totally secure, use HTTPS for everything.
检测请求是否为HTTPS (见这个问题)。
Detect if the request is HTTPS or not (See this question) at bootstrap.
如果请求是HTTP,则重定向所有对HTTPS主页的请求,或者您可以尝试解析 $ _ SERVER ['REQUEST_URI'] 并使用 parse_url将HTTP请求重定向到其HTTPS对应项和 http_build_url 。
If the request is HTTP, either redirect all requests to HTTPS home page, or you can try parsing $_SERVER['REQUEST_URI'] and redirecting HTTP request to their HTTPS counterpart using parse_url and http_build_url.
第二种替代解决方案
如果你真的真的不想为所有事情使用HTTPS,那就不要 session_start()在使用HTTP访问的页面上。当您这样做时,将保留安全cookie。
If you really really don't want to use HTTPS for everything, then don't session_start() on pages that are accessed with HTTP. Secure cookies will be retained when you do this.
第三种替代解决方案
另一种解决方案是尝试通过IP地址和用户代理检测用户。这不保证是准确的,所以我建议只使用HTTPS来做所有事情。例如,Paypal总是使用HTTPS,即使是普通的静态页面。
The other solution is to try and detect the user by IP addresses and user agent. This is not guaranteed to be accurate, so what I suggest is just use HTTPS for everything. Paypal, for example, always use HTTPS even for mundane static pages.
这篇关于PHP会话HTTP到HTTPS问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
