問題描述

我使用 CakePHP 2.4.我的網站上有一個 OAuth 登錄.%99.5 的登錄成功，但 %0.5 失敗.我有這個錯誤幾個月了.我嘗試了很多東西來調試和記錄，但仍然沒有解決問題.雖然大部分請求都很好，但我需要解決一小部分.

I use CakePHP 2.4. I have an OAuth signin in my website. %99.5 of signins are successfull but %0.5 fails. I have this error for months. I tried many things to debug and log but still I didn't solve the problem. Although most of the requests are good I need to solve the small part.

場景是這樣的:

• 用戶點擊登錄按鈕
• 我從服務器(例如雅虎、推特)獲取請求令牌
• 我將 oauth_token 保存在用戶會話中
  例如會話 ID 是 aaa1234

• CakePHP 創建 PHPSESSID cookie 并將會話 ID 保存在此 cookie 中.

• User clicks Sign in button
• I get request token from server (for example yahoo, twitter)
• I save oauth_token in user's session
  for example session ID is aaa1234

• CakePHP creates PHPSESSID cookie and save session id in this cookie.

我將用戶重定向到 Twitter 服務器并且用戶確認了我的申請

I redirect user to Twitter server and user confirms my application

對于場景 b:
用戶現在似乎有了新的會話 ID.oauth_token 在新會話中找不到.但請注意，舊會話數據存在于 /tmp/sessions/ 文件夾中.

For the scenario b:
It seems like user has new session ID now. oauth_token can't be found in new session. But note that old session data exists in /tmp/sessions/ folder.

會話 aaa1234 的會話 ID cookie 不存在.但是我 2 天前設置的另一個跟蹤 cookie 存在于 cookie 中.

Session ID cookie doesn't exists for session aaa1234. But another tracking cookie that I set 2 days ago exists in cookies.

我檢查用戶代理.
用戶第一次來和用戶從雅虎服務器回來時是一樣的.

I check user agents.
It is same when user first comes and user comes back from Yahoo server.

此故障場景發生在 Chrome、Firefox、移動瀏覽器或其他瀏覽器中，因此我無法指責瀏覽器類型.
我應該檢查什么來診斷?

This failure scenario happens in Chrome, Firefox, mobile browsers or other browsers, so I can't accuse browser type.
What should I check more to diagnose?

我的 CakePHP core.php 設置:

My CakePHP core.php settings:

Configure::write('Session', array(  'defaults' => 'cake'  ));
Configure::write('Session.cookie', 'MYPHPSESSID');
Configure::write('Session.timeout', 120);
Configure::write('Security.level', 'medium');

文件中提到的其他設置是默認的:https://github.com/cakephp/cakephp/blob/2.5/app/Config/core.php#L182

Other settings are default as mentioned in file: https://github.com/cakephp/cakephp/blob/2.5/app/Config/core.php#L182

通過使用 這個答案，我檢查了 cookie.20% 的錯誤用戶禁用了 cookie.我詢問了個人和用戶確認的 cookie 選項.但似乎其他用戶沒有禁用 cookie.還有一些用戶使用 Android WebViews 訪問我的網站.在 WebView 客戶端中，我確信我沒有禁用 cookie.并且 99% 的 WebView 用戶可以成功使用網站.

By using this answer I checked for cookies. 20% of the erroneous users disabled cookies. I asked personally and user confirmed cookie option. But it seems like other users didn't disabled cookies. Also some of users reach my website by using Android WebViews. In WebView clients I'm sure that I don't disable cookies. Also 99% of the WebView users can successfully use website.

推薦答案

由于方案之間的重定向，您的會話 ID 可能會丟失.如果您的用戶在 HTTP 上收到會話 ID，然后在 HTTPS 上返回(或反之亦然)，他的會話將丟失/替換為他以前的舊會話在那個計劃上.

Your session id might be lost because of a redirect between schemes. In case your user received a session id on HTTP and then came back on HTTPS (or vice-versa) his session would be lost/replaced by an old session he had previously on that scheme.

這不是 100% 確定，但如果我是你，我會嘗試看看(在過去的項目中也發生在我身上).

This is not 100% certain, but if I were you, I'd try to give it a look (it happened to me also in a past project).

編輯
說明:

客戶端在 HTTP 上獲得他們的會話，他們被重定向用于 oauth 目的，當他們回來時，他們通過 HTTPS 來.

The clients obtain their session on HTTP, they are redirected for oauth purposes, and when they come back, they come via HTTPS.

PHP 正常會話 ($_SESSION) 在 HTTP 和 HTTPS 之間移動時丟失.會話本身保留在服務器端，但是客戶端丟失了 session_id，因此服務器無法識別他并且會話丟失了，所以我使用的是純 PHP，100% 的客戶端在途中丟失了會話背部.

PHP Normal sessions ($_SESSION) are lost when moving between HTTP and HTTPS. The session itself is kept on server side, but the client loses the session_id, thus the server doesn't recognize him and the session is lost, so I you were using pure PHP, 100% of your clients were to lose session on their way back.

CakePHP 通過保存會話 ID 的 cookie 來處理這個常見問題，然后當客戶端返回時請求頭中沒有 session_id 時，由于 cookie，它的會話被恢復.0.05% 的失敗客戶是具有以下一項(或多項)情況的客戶:

CakePHP handles this common problem via cookies that save the sesion id, and then when the client comes back without session_id on the request headers, its session is restored because of the cookie. The 0.05% of your clients that fails, are clients with one (or more) of the following:

1. 禁用 Cookie(更常見)
2. 在 HTTP/HTTPS 之間切換時不保留來自同一網站的 cookie 的瀏覽器(更為罕見)

可能的解決方案:

1. 首先在 HTTPS 上初始化 cookie(即首先檢查用戶是否在 HTTP 上，然后將他重定向到 HTTPS，然后初始化會話，然后將他重定向到 oauth 端點) - 我個人推薦它.

1. initialize the cookie on HTTPS to begin with (i.e first check if the user is on HTTP, then redirect him to HTTPS, then init the session, then redirect him to oauth endpoint) - I personally recommend it.

一些 oauth 提供者使用 url 參數在用戶完成身份驗證時重定向用戶.您可以使用它并將其會話 ID 作為參數發送.- 我不建議這樣做，因為那樣你可能會將客戶端的會話 ID 暴露給攻擊者.

some oauth providers take parameters for the url to redirect the user when he finishes his authentication. You can use this and send its session id as a parameter. - I don't recommend this, because then you might expose your client's session id to attackers.

祝你好運！

這篇關于OAuth 重定向后會話丟失的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！