重定向后 PHPSESSID cookie 丢失
[英]PHPSESSID cookie lost after redirect
问题描述
My website redirects user to the payment Gateway page.
我的网站将用户重定向到支付网关页面。 Once the user has completed the payment, they are redirected back to my website receipt page process.php .用户完成付款后,他们将被重定向回我的网站收据页面process.php 。 Please note that user redirects away from and return to https page.请注意,用户重定向离开并返回到 https 页面。 website URL is exactly the same ie: user redirects away from https://website.com/payment.php to Payment Gateway and then back to https://website.com/process.php?para1=true¶2=true website URL is exactly the same ie: user redirects away from https://website.com/payment.php to Payment Gateway and then back to https://website.com/process.php?para1=true¶2=true
session_start();
print_r($_COOKIE);
print_r($_SESSION);
What i get is this:我得到的是:
Array(
[lang] => en
[theme] => light
[timezone] => Asia/Baghdad
)
Array(
)
What I expect to get is this:我期望得到的是:
Array(
[lang] => en
[theme] => light
[timezone] => Asia/Baghdad
[PHPSESSID] => 2b656f9120*********6fd1817316
)
Array(
[nonce] => 68e56bb********f2253529e09bf3f
[userID] => 1
[last_error] =>
[last_success] =>
)
Things i've tried:我尝试过的事情:
- Failed to recreate issue by redirecting user to another website that i own and redirecting them back to
process.php无法通过将用户重定向到我拥有的另一个网站并将他们重定向回process.php来重新创建问题 - Tried redirecting user landed on
process.phpagain toprocess.php尝试将登录到process.php的用户再次重定向到process.php - On another tab when I refresh any other page on my website, the
PHPSESSIDcomes back.当我刷新网站上的任何其他页面时,在另一个选项卡上, PHPSESSID会返回。 Refreshingprocess.phpafter refreshing other page makesPHPSESSIDto appear again.刷新process.php。php 刷新其他页面后使PHPSESSID再次出现。 - This is only happening when the Payment Gateway redirects user back to my website.仅当支付网关将用户重定向回我的网站时才会发生这种情况。 Redirecting from any other website using
header("Location: website.com/process.php")does not reproduce the issue.使用header("Location: website.com/process.php")从任何其他网站重定向不会重现该问题。
1 个解决方案
解决方案1
0 2022-01-17 00:26:04
Do you have something like this in your apache config?你的 apache 配置中有类似的东西吗?
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Changing Strict to Lax should solve your issue:将 Strict 更改为 Lax 应该可以解决您的问题:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax
See also https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/另见https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
Try changing the defaults for session_start() :尝试更改session_start()的默认值:
$secure = true; // if you only want to receive the cookie over HTTPS
$httponly = true; // prevent JavaScript access to session cookie
$samesite = 'lax';
if (PHP_VERSION_ID < 70300) {
session_set_cookie_params($maxlifetime, '/; samesite='.$samesite, $_SERVER['HTTP_HOST'], $secure, $httponly);
} else {
session_set_cookie_params([
'lifetime' => $maxlifetime,
'path' => '/',
'domain' => $_SERVER['HTTP_HOST'],
'secure' => $secure,
'httponly' => $httponly,
'samesite' => $samesite
]);
}
See also https://www.php.net/manual/de/function.session-set-cookie-params.php#125072另见https://www.php.net/manual/de/function.session-set-cookie-params.php#125072
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.