在同一个域中有两个不同的会话
[英]Having two different sessions in same domain
问题描述
I run foo.com.
我运行 foo.com。 I have two different applications that live in foo.com: one is foo.com/bar, and the other is foo.com/example.我在 foo.com 中有两个不同的应用程序:一个是 foo.com/bar,另一个是 foo.com/example。 I use sessions to track information about the user while they're logged in, but if the user goes from foo.com/bar to foo.com/example, foo.com/example sees the session the user started from foo.com/bar and uses that information.我在用户登录时使用会话来跟踪有关用户的信息,但是如果用户从 foo.com/bar 转到 foo.com/example,则 foo.com/example 会看到用户从 foo.com/ 开始的会话栏并使用该信息。 My question is, how can I have two different sessions going for each directory at the same time?我的问题是,如何同时为每个目录设置两个不同的会话?
6 个解决方案
解决方案1
47 2009-08-28 18:51:14
You should call session_name before calling session_start.您应该在调用session_start之前调用 session_name。 This sets the name of the cookie used to identify the session (by default this is PHPSESSID).这将设置用于标识会话的 cookie 的名称(默认情况下为 PHPSESSID)。
Use a different name for each application.为每个应用程序使用不同的名称。 You shouldn't have to mess with the variables inside the session.您不必弄乱会话中的变量。
解决方案2
6 2016-12-15 12:29:19
I think it's very important to highlight the potential security implications associated with the solutions provided so far.我认为强调与目前提供的解决方案相关的潜在安全影响非常重要。 I have been a web application penetration tester for about 5 years and have developed numerous vulnerable security applications in this time to assist with training of juniors starting out in IT security.我已经做了大约 5 年的 Web 应用程序渗透测试员,并且在这段时间开发了许多易受攻击的安全应用程序,以协助培训刚开始从事 IT 安全的初级人员。
I have just been testing the solutions provided and have noted that none of them prevent access to a session belonging to the neighbouring app.我刚刚测试了所提供的解决方案,并注意到它们都不会阻止访问属于相邻应用程序的会话。 Using different session identifier names with session_name() doesn't prevent users from using the value of these identifiers.对 session_name() 使用不同的会话标识符名称不会阻止用户使用这些标识符的值。 PHP doesn't have a segregated storage for each session identifier name. PHP 没有为每个会话标识符名称单独存储。 I had two apps using different session names and setting a cookie path for the browser.我有两个应用程序使用不同的会话名称并为浏览器设置了 cookie 路径。 The following respective Set-Cookie directives were included in HTTP responses:以下相应的 Set-Cookie 指令包含在 HTTP 响应中:
Set-Cookie: TESTONE=<value one>; path=/testone/
Set-Cookie: TESTTWO=<value two>; path=/testtwo/
If both apps had entirely separate users and someone only had access to the /testtwo/ app, they may be able to access info on the /testone/ app depending on the way in which session parameters were being handled.如果两个应用程序都有完全独立的用户,而某人只能访问/testtwo/应用程序,则他们可能能够访问/testone/应用程序上的信息,具体取决于处理会话参数的方式。 An example code segment below shows a potential data breach assuming that both apps use a $_SESSION["authenticated"] parameter after successful authentication.下面的示例代码段显示了潜在的数据泄露,假设两个应用程序在成功验证后都使用$_SESSION["authenticated"]参数。
<?php
session_name("TESTONE");
ini_set("session.cookie_path","/testone/");
session_start();
if ($_SESSION["authenticated"] == "yes")
echo $topsecretinfo;
?>
To access this $topsecretinfo one would only need to authenticate on the /testtwo/ application, take the value of their TESTTWO session identifier and use it as the value of the TESTONE session identifier when sending requests to the /testone/ application.要访问此$topsecretinfo ,只需要在/testtwo/应用程序上进行身份验证,获取他们的TESTTWO会话标识符的值,并在向/testone/应用程序发送请求时将其用作TESTONE会话标识符的值。 PHP's session lookup process does not recognise the name of the session identifier except for parsing the correspoding value. PHP 的会话查找过程不识别会话标识符的名称,除非解析相应的值。 ie a session identifier value of "agcy648dja6syd8f93" will return the same session object regardless of the name used to refer to it.即会话标识符值“agcy648dja6syd8f93”将返回相同的会话对象,而不管用于引用它的名称如何。
解决方案3
2 2009-08-28 18:15:08
You may be able to use session_set_cookie_params to set the domain and folder for the session to be saved under.您可以使用session_set_cookie_params来设置要保存的会话的域和文件夹。 IE: IE:
// Used on foo.com/example
session_set_cookie_params(86400, '/example');
// Used on foo.com/bar
session_set_cookie_params(86400, '/bar');
解决方案4
1 已采纳 2009-08-28 18:18:39
You could also use the same session but change the variable names that you look for.您也可以使用相同的会话,但更改您要查找的变量名称。
Edit: Sorry this doesn't answer your question but gives an alternative solution.编辑:抱歉,这不能回答您的问题,但提供了替代解决方案。
解决方案5
0 2012-10-31 04:24:37
I realize this is old, but thought it might help someone.我意识到这很旧,但认为它可能对某人有所帮助。 This example shows how we are setting a separate session for our admin area.这个例子展示了我们如何为我们的管理区域设置一个单独的会话。
if ( $_SERVER['REQUEST_URI'] == '/admin/' ):
$session_name = 'session1';
else:
$session_name = 'session2';
endif;
session_start( $session_name );
解决方案6
0
Another solution is to effectively create a namespace within your session by pre-pending all session values from foo.com/bar with "bar_" and foo.com/example with "example_".另一种解决方案是通过将 foo.com/bar 中的所有会话值与“bar_”和 foo.com/example 与“example_”预先挂起来有效地在您的会话中创建一个命名空间。
The way you can keep this from being tedious is to abstract this functionality into a function or class method.您可以避免这种乏味的方法是将此功能抽象为函数或类方法。 For example:例如:
function set_session_value($key, $value) {
//figure out which prefix to use by checking the current working
//directory, or whatever method you like. set $prefix equal to
// "bar_" or "example_".
$_SESSION[$prefix . $key] = $value;
}
Then get your values with a matching function.然后使用匹配函数获取您的值。
The main advantage of this is that you don't have to think about what variable names you're using in /example while programming in /bar.这样做的主要优点是,在 /bar 中编程时,您不必考虑在 /example 中使用的变量名称。 The other is that if you decide to change how you are storing session values, you can easily change everything in one place.另一个原因是,如果您决定更改存储会话值的方式,您可以轻松地在一个地方更改所有内容。
解决方案7
0 2019-11-14 20:03:28
如果您在URL中传递了会话ID,并在php.ini中禁用了cookie,那么您就不会有多个会话共享相同的PHPSESSID cookie值,这是否可以解决问题?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.