在 PHP 中的 PHPSESSID cookie 上设置 httpOnly 和安全
[英]Set httpOnly and secure on PHPSESSID cookie in PHP
问题描述
Whats the recommended way to set httponly and secure flags on the PHPSESSID cookie?
在 PHPSESSID cookie 上设置 httponly 和安全标志的推荐方法是什么?
I found http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly .我找到了http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly 。 Any better suggestions?有什么更好的建议吗?
thanks谢谢
8 个解决方案
解决方案2
20 已采纳 2011-07-25 21:01:38
在我看来最好的是: http : //www.php.net/manual/en/function.session-set-cookie-params.php
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )
解决方案3
18 2011-08-08 22:21:21
I was unable to get the secure flag working with session_set_cookie_params(...) , so what I did was, after session_start() set the PHPSESSID cookie, I reset it with setcookie(...) .我无法使用session_set_cookie_params(...)获得安全标志,所以我所做的是,在session_start()设置 PHPSESSID cookie 后,我用setcookie(...)重置它。 The final parameter, true, makes the cookie have a secure flag.最后一个参数 true 使 cookie 具有安全标志。
<?php
session_start();
$currentCookieParams = session_get_cookie_params();
$sidvalue = session_id();
setcookie(
'PHPSESSID',//name
$sidvalue,//value
0,//expires at end of session
$currentCookieParams['path'],//path
$currentCookieParams['domain'],//domain
true //secure
);
?>
When I checked the PHPSESSID cookie in Firefox, its 'Send for' property was set to 'Encrypted connections only' and its 'Expires' property was set to 'At end of session'.当我在 Firefox 中检查 PHPSESSID cookie 时,它的“发送对象”属性设置为“仅加密连接”,其“过期”属性设置为“会话结束时”。
解决方案4
5 2020-04-23 15:29:09
A more elegant solution since PHP >=7.0自PHP >=7.0以来更优雅的解决方案
session_start(['cookie_lifetime' => 43200,'cookie_secure' => true,'cookie_httponly' => true]);
解决方案5
2 2017-08-25 02:44:42
我通过 HTTPS 使用 Apache httpd,设置session.cookie_httponly = 1 & session.cookie_secure = 1对我有用。
解决方案6
2 2020-02-04 11:54:25
For a WordPress website, I fixed it using the following PHP code:对于 WordPress 网站,我使用以下 PHP 代码修复了它:
add_action('init', 'start_session', 1);
function start_session() {
if(!session_id()) {
session_start();
$currentCookieParams = session_get_cookie_params();
$sidvalue = session_id();
setcookie(
'PHPSESSID',//name
$sidvalue,//value
0,//expires at end of session
$currentCookieParams['path'],//path
$currentCookieParams['domain'],//domain
true //secure
);
}
}
add_action('wp_logout','end_session');
add_action('wp_login','end_session');
function end_session() {
session_destroy();
}
Paste the code in the functions.php file.将代码粘贴到functions.php 文件中。
解决方案7
0 2016-11-30 03:01:00
如果您使用的是 Apache,请在您的 .htaccess 上试试这个
php_value session.cookie_httponly 1
解决方案8
0 2018-07-16 08:50:42
Using .htaccess for this purpose just slows down your application.为此目的使用 .htaccess 只会减慢您的应用程序的速度。
I think its better to add this snippet in your main config file ( example config.php ) or main include file ( example global.php )我认为最好将此代码段添加到您的主配置文件(例如 config.php )或主要包含文件(例如 global.php )中
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Prevent Session ID from being passed through URLs
ini_set('session.use_only_cookies', 1);
If you are using https:// instead of http:// , then also do如果您使用的是 https:// 而不是 http:// ,那么也这样做
// Uses a secure connection (HTTPS)
ini_set('session.cookie_secure', 1);
This method is also suitable for thos who dont have access to php.ini此方法也适用于无法访问 php.ini 的人
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.