如何在常规 PHP/HTML 页面和 angular 页面之间共享 PHP session?
[英]How do I share PHP session between regular PHP/HTML pages and an angular page?
问题描述
I have written a web application mostly using HTML and PHP.
我编写了一个 web 应用程序,主要使用 HTML 和 PHP。
All (login required) pages of the website is controlled using PHP session, except one single SPA Angular page.网站的所有(需要登录)页面都使用 PHP session 进行控制,一个 SPA Angular 页面除外。
Users login using HTML and PHP, and a PHP session is created to authenticate the users.用户使用 HTML 和 PHP 登录,并创建一个 PHP session 来验证用户。
When users click to go to the Angular page, I do not want to ask the users to login again,当用户点击go到Angular页面时,我不想让用户再次登录,
so is there a way to securely share the existing PHP session with an angular page?那么有没有办法安全地与 angular 页面共享现有的 PHP session?
Thank you for your help.谢谢您的帮助。
3 个解决方案
解决方案1
1 2022-03-24 13:11:00
After login in PHP, you can store the credentials (username, password) encrypted in a cookie with sha1() for example.登录 PHP 后,您可以将凭据(用户名、密码)加密存储在 cookie 中,例如使用 sha1()。
In Angular you read that cookie, extract the username and the hashed password and check them via POST AJAX request (/check_credentials.php) before letting the user in the SPA.在 Angular 中,您读取该 cookie,提取用户名和散列密码,并在让用户进入 SPA 之前通过 POST AJAX 请求 (/check_credentials.php) 检查它们。
If you have a token based security (the token expires after a period and it must be renewed) you can store the encrypted token in the cookie and not the hashed password which can be a vulnerability to XSS attacks ( https://owasp.org/www-community/attacks/xss/ ) and check the token via AJAX from Angular.如果您有基于令牌的安全性(令牌在一段时间后过期并且必须更新),您可以将加密令牌存储在 cookie 中而不是散列密码,这可能是 XSS 攻击的漏洞( https://owasp.org /www-community/attacks/xss/ ) 并通过 AJAX 从 Angular 检查令牌。
解决方案2
1 2022-03-24 13:30:22
I'm not sure if "sharing" a session is possible and even if it is, it's probably not recommended or standard practice.我不确定是否可以“共享”session,即使可以,也可能不推荐或不标准做法。 Generally you'll want to make your frontend make calls to your backend API. Thus, if a user went to your Angular page, you could make an API request to check if a user has been authenticated before showing the login page.通常,您需要让前端调用后端 API。因此,如果用户访问您的 Angular 页面,您可以发出 API 请求以在显示登录页面之前检查用户是否已通过身份验证。
Hard telling you what a secure and minimal change option is for your particular app without more details but you should be able to use a secure server-side cookie that is sent with every API request from Angular or React (using axios you can use the withCredentials) to the API (it doesn't have to be an API, it could be a PHP page that is set up to handle the request) that contains a JWT (may be overly complex for your use-case) that can verify the user is authenticated.在没有更多详细信息的情况下,很难告诉您特定应用程序的安全和最小更改选项是什么,但您应该能够使用安全的服务器端 cookie,该 cookie 随来自 Angular 或 React 的每个 API 请求一起发送(使用 axios,您可以使用 withCredentials ) 到 API(不一定是 API,它可以是设置为处理请求的 PHP 页面),其中包含可以验证用户的 JWT(对于您的用例来说可能过于复杂)已通过身份验证。 JWT data can be seen from the frontend so don't use it as a secure way to check for hidden or secret data but it is a way to validate verified data. JWT 数据可以从前端看到,所以不要将它用作检查隐藏或秘密数据的安全方法,但它是一种验证已验证数据的方法。
Even though it's convenient, I'd stay away from passing around passwords or password hashes especially in frontend accessible cookies (which are generally frowned upon anyway).尽管它很方便,但我会远离传递密码或密码哈希值,尤其是在前端可访问的 cookies(无论如何通常不受欢迎)。
解决方案3
0 2022-03-24 13:35:21
You have to know, that the session cookie is unset if you leave the Browser.您必须知道,如果您离开浏览器,session cookie 将被取消设置。
So now you must save the information in long time cookies... for example save the username and password in a persistent cookie...所以现在你必须长时间保存信息 cookies ...例如将用户名和密码保存在持久性 cookie 中...
But notice you should encrypt the password and the username which are stored in the cookie.但请注意,您应该对存储在 cookie 中的密码和用户名进行加密。
BUT be aware - if somebody can set these cookies in fe an Browser Addon, which allows Cookies to set Manually - then it doesnt matter if you encrypt or not!但请注意 - 如果有人可以在浏览器插件中设置这些 cookies,它允许 Cookies 手动设置 - 那么加密与否都没有关系!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.