I have two sessions in PHP:
$_SESSION["session"]["key"] = md5 ($token . $userAgent . $ip);
$_SESSION["session"]["timeout"] = time ();
Just want to check that sessions with nginx, tried this code without success:
location / {
if ($request_filename ~* "index.php") {
break;
}
if ($http_cookie ~* "session") {
break;
}
rewrite ^.+$ https://localhost/index.php last;
}
Any clues ?
Thanks.
a cookie just holds the Session ID, an id is always created upon session_start();
so if your calling that within your script the user will always have a session id.
your best bet is too add a second cookie:
setcookie('session_key',md5 ($token . $userAgent . $ip));
then within nginx:
if ($http_cookie ~* "session_key")
{
break;
}
to check if that cookie is set.
If the hash is sensitive then do this:
setcookie('session_key_active','1');
Then in Nginx:
if ($http_cookie ~* "session_key_active")
{
break;
}
But this is still vulnerable , always check server side values match!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.