https和http之间的PHP SESSION变量
[英]PHP SESSION variables between https and http
问题描述
I have a website that has a secure area (https) and the rest of the site, which is http. 
我有一个具有安全区域(https)的网站,该网站的其余部分为http。 Everything works wonderful using session variables to login on the https side of things, and the secured area is functioning wonderfully. 使用会话变量登录事物的https端,一切工作都很棒,并且安全区域的运行也很出色。
My issue: I have a "login/register" button at the top of every http page on the site. 我的问题:网站上每个http页面的顶部都有一个“登录/注册”按钮。 I would like this to reflect login status and change to "logout" and also have some other logged in buttons that simply redirect to the https pages. 我希望这能反映登录状态并更改为“注销”,并且还具有其他一些登录按钮,这些按钮仅重定向到https页面。 I am not trying to manipulate any data or other secured info on the http pages in any way. 我没有试图以任何方式操纵http页面上的任何数据或其他安全信息。
In IE8 the https created session variable for login is detected in http (on the home page) and it correctly displays the alternative "log out" link. 在IE8中,在http(在主页上)中检测到https创建的用于登录的会话变量,并且该变量正确显示了替代的“注销”链接。 However, in all other browsers the session variable is not there in http. 但是,在所有其他浏览器中,http中都不存在会话变量。 What is the easiest way to fix this without creating a huge security flaw? 解决此问题而不造成巨大安全漏洞的最简单方法是什么? Oh, and the urls are the same except for http and https. 哦,除了http和https外,其他网址都一样。
2 个解决方案
解决方案1
1 已采纳 2011-01-14 08:35:19
许多站点使用的一种简单方法是通过脚本向客户端实际加载按钮,该脚本向HTTPS url发出请求以确定用户是否登录,而不是使用HTML它是HTTP服务页面的一部分。
解决方案2
1 2011-01-14 08:41:17
If you want to secure session cookie, you want to make sure the browser only send out the cookie in HTTPS. 如果要保护会话cookie,请确保浏览器仅在HTTPS中发送cookie。 Therefore, any way to figure out login status from HTTP communication is insecure. 因此,从HTTP通信中找出登录状态的任何方法都是不安全的。
I +1 the solution Amber posted. 我+1解决方案Amber发布。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.