session_regenerate_id()如何在内部工作?
[英]How does session_regenerate_id() work internally?
问题描述
I am trying to secure sessions for users on a website. 
我正在尝试确保网站上用户的会话安全。 On the login flow, I am regenerating session id, to ensure better security (reduce chances of guessing) in terms of session fixation. 在登录流程中,我正在重新生成会话ID,以确保在会话固定方面更好的安全性(减少猜测的机会)。 I was trying to test a script for the working of session_regenerate_id(). 我正在尝试测试用于session_regenerate_id()的脚本。 There are two instances of it. 有两个实例。 They are: 他们是:
1) Delete old session by using session_regenerate_id(true) 1)使用session_regenerate_id(true)删除旧会话
<?php
session_start();
if (!isset($_SESSION['times'])) {
$_SESSION['times'] = 0;
$_SESSION['generate'] = true;
} else {
if ($_SESSION['generate'] === true) {
session_regenerate_id(true);
$_SESSION['generate'] = false;
}
$_SESSION['times']++;
}
var_dump($_SESSION['times']);
var_dump(session_id());
?>
The following is the output I got for it: 以下是我得到的输出:
/var/www/public/goto/index.php:31:int 0
/var/www/public/goto/index.php:32:string 'q96btv7i1ukpb3cq8tskcgdeb7' (length=26)
On another tab (same browser): 在另一个标签上(相同的浏览器):
/var/www/public/goto/index.php:31:int 1 /var/www/public/goto/index.php:32:string 'gspq91o1jbcrcc27b4fkm4qgd5' (length=26)
On checking the folder after opening the same page in another tab where, session files are stored, I found the session file associated only with the string: gspq91o1jbcrcc27b4fkm4qgd5 在另一个存储会话文件的选项卡中打开同一页面后检查文件夹时,我发现该会话文件仅与以下字符串关联: gspq91o1jbcrcc27b4fkm4qgd5
2) Just regenerated new session id by using session_regenerate_id() 2) 只需使用session_regenerate_id()重新生成新的会话ID
<?php
session_start();
if (!isset($_SESSION['times'])) {
$_SESSION['times'] = 0;
$_SESSION['generate'] = true;
} else {
if ($_SESSION['generate'] === true) {
session_regenerate_id();
$_SESSION['generate'] = false;
}
$_SESSION['times']++;
}
var_dump($_SESSION['times']);
var_dump(session_id());
?>
Output for first tab: 第一个标签的输出:
/var/www/public/goto/index.php:31:int 0
/var/www/public/goto/index.php:32:string 'odu7sttll7pp43suqu22laa755' (length=26)
Output on second tab: 第二个选项卡上的输出:
/var/www/public/goto/index.php:31:int 1
/var/www/public/goto/index.php:32:string '27po8j6bu318fd3e69ug4m53i3' (length=26)
In this case, I found session files for both the session ids: odu7sttll7pp43suqu22laa755 and 27po8j6bu318fd3e69ug4m53i3 Thus, what the function says, it does. 在这种情况下,我找到了两个会话ID的会话文件: odu7sttll7pp43suqu22laa755和27po8j6bu318fd3e69ug4m53i3因此,该函数说明了这一点。 But, my question comes here (sorry for the long intro), in the first case, when using session_regenerate_id(true) , the cookie on the first tab contained the old session id, whereas the one on the new tab, contained the new session id. 但是,我的问题来到这里(很长的介绍很抱歉),在第一种情况下,当使用session_regenerate_id(true) ,第一个选项卡上的cookie包含旧的会话ID,而新选项卡上的cookie包含新的会话。 ID。 After opening the second tab, when I refresh the first one, I magically get 3 as output and the session id of the second tab. 打开第二个选项卡后,当刷新第一个选项卡时,我神奇地得到3作为输出和第二个选项卡的session id 。 What I don't understand here is when I refresh Tab 1 , the cookie it sends to the server contains the old session id, which shouldn't be no longer valid (and also doesn't exist as file on the server), how do I get 3 as output? 我不明白这里是当我刷新Tab 1 ,它向服务器发送的cookie包含旧的会话ID,这不应该是不再有效(也作为文件服务器上不存在), 如何我得到3作为输出?
How is the same session persisted, even when Tab 1 has no idea about the regeneration and the new session cookie? 即使选项卡1对重新生成和新的会话cookie一无所知,同一会话也将如何持续存在?
Shouldn't the request when I refresh the page on Tab 1 not get me the newly generated session (on Tab 2)? 如果不是请求时,我刷新选项卡1页不了我(选项卡2)新产生的会话?
That would be having two sessions on the same browser, which is not what actually happens. 那将在同一个浏览器上进行两个会话,而实际情况并非如此。 How does PHP handle this on session_regenerate_id(true) PHP如何在session_regenerate_id(true)上处理此问题
Please note: The following is my output for session from phpinfo() 请注意:以下是我从phpinfo()进行会话的输出
1 个解决方案
解决方案1
0 2016-12-18 10:24:26
Thank you @Charlotte Dunois and @AnthonyB for helping me out. 谢谢@Charlotte Dunois和@AnthonyB的帮助。
It was a mistake on my part. 我这是一个错误。
Chrome Dev Tools doesn't seem to update cookie information in real time. Chrome Dev Tools似乎无法实时更新Cookie信息。 After checking All Site data on Settings, I found that my domain had only one cookie associated with it and that was the one for Tab 2. 在检查了“设置”上的“所有站点”数据后,我发现我的域只有一个与之关联的cookie,这是选项卡2中的那个。
So actually, it does send the new cookie when I refresh Tab 1. There could be an exception as @AnthonyB said (comment). 因此,实际上,当我刷新选项卡1时,它的确会发送新的cookie。@ AnthonyB说(注释)可能会有异常。
On Dev Tools, when I closed it for Tab 1 and re-opened it for Tab 1, I found the Cookies tab to have the updated value. 在开发工具上,当我为选项卡1关闭它并为选项卡1重新打开它时,我发现Cookies选项卡具有更新的值。 I could no longer see the old cookie value. 我再也看不到旧的cookie值。
Found out, Chrome doesn't do live update on the cookies even the cookie info has changed (like it does on page elements, styles). 发现,即使Cookie信息已更改(例如页面元素,样式上的更改),Chrome也不会实时更新Cookie。
I think that wouldn't be required too. 我认为也不需要。
Cheers to everyone. 为大家加油。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.