問題描述
我有一個 (HTTPS) login.php 頁面,它仍然是 HTTPS(即用戶登錄后轉(zhuǎn)到帳戶儀表板).現(xiàn)在的問題是說用戶在登錄到安全儀表板時點(diǎn)擊了一個非敏感頁面,如(HTTP)about-us.php 頁面,會話不會通過 HTTP 傳輸,因?yàn)槲矣?session.cookie_secure=1,這意味著用戶在 HTTP 頁面上顯示為已注銷.
I have a (HTTPS) login.php page which remains HTTPS (ie once user logged in goes to account dashboard). Now the problem is say the user whilst logged on to the secure dashboard clicks onto a non-sensitive page like (HTTP) about-us.php page, the session is not transmitted over HTTP as I have session.cookie_secure=1, meaning the user appears logged out on HTTP pages.
但是,當(dāng)用戶返回儀表板頁面或任何敏感帳戶頁面時,我被告知他仍應(yīng)登錄(即從 HTTP 返回到 HTTPS)?然而事實(shí)并非如此,他似乎也在 HTTPS 連接上注銷了?
However when the user goes back to dashboard page or any sensitive account page I have been told he should still be logged in (ie from HTTP back to HTTPS)? However this is not the case and he appears logged out on the HTTPS connection too?
我相信我遺漏了導(dǎo)致此問題的某些內(nèi)容.這是我的代碼:
I believe I am missing something which is causing this problem. Here is my code:
這是在 login.php 頁面上調(diào)用以啟動會話的 PHP 頭文件:
This is PHP header file which is called to start session on login.php page:
session_start();
session_regenerate_id(true); /*avoid session fixation attempt*/
/*Create and check how long session has been started (over 5 mins) regenerate id - avoid session hijack*/
if(!isset($_SESSION['CREATED']))
{
$_SESSION['CREATED'] = time();/*time created session, ie from login/contact advertiser/email_confirm only ways for new session to start*/
}
elseif(time() - $_SESSION['CREATED'] > 300)
{
/*session started more than 5 mins(300 secs) ago*/
session_regenerate_id(true); /*change session ID for the current session and invalidate old session ID*/
$_SESSION['CREATED'] = time(); /*update creation time*/
}
/*Check if user is logged in*/
if(!isset($_SESSION['loggedin']))
{
$_SESSION['loggedin']=1;/*used to track if user is logged in on pages*/
}
/*if return false browser supports standard ob_start();*/
if(ob_start("ob_gzhandler")){ob_start();}
這是每個頁面都需要的 PHP 頭文件,用于檢查會話是否已經(jīng)啟動:
This is PHP header file required on every page to check if session initiated already:
session_start();
$session_errors=0;/* if>0 user not logged in*/
/*check if session is already initiated*/
if(isset($_SESSION['CREATED']))
{
if(time() - $_SESSION['CREATED'] > 300)
{
/*session started more than 5 mins(300 secs) ago*/
session_regenerate_id(true); /*change session ID for the current session and invalidate old session ID*/
$_SESSION['CREATED'] = time(); /*update creation time*/
}
}
elseif(!isset($_SESSION['CREATED'])){$session_errors++;}/*user not logged in*/
/*Check if user is logged in*/
if(!isset($_SESSION['loggedin'])){$session_errors++;}/*user not logged in*/
if(ob_start("ob_gzhandler")){ob_start();}
此外,如果有任何用途,這是在非敏感頁面(例如 about-us.php)上打開 HTTPS 的代碼
Also if any use this is the code to turn HTTPS of on non-sensitive pages such as about-us.php
if ($_SERVER['SERVER_PORT']!=80)
{
$url = "http://". $_SERVER['SERVER_NAME'] . ":80".$_SERVER['REQUEST_URI'];
header("Location: $url");
}
我的 php.ini 文件 cookie 設(shè)置
My php.ini file cookie settings
session.cookie_secure=1
session.cookie_httponly=1
session.use_only_cookies=1
session.cookie_lifetime = 0
session.save_path = /tmp
session.save_handler = files
推薦答案
已回答以幫助可能偶然發(fā)現(xiàn)此問題的人
作為 切換時會話丟失的答案PHP 中從 HTTP 到 HTTPS 已經(jīng)結(jié)束,因?yàn)槟褂玫氖?session.cookie_secure = 1 包含會話 ID 的 cookie 在連接從 HTTPS 切換到 HTTP 時不會傳輸.在 HTTP 連接時,當(dāng)您 session_start() 時,PHP 會創(chuàng)建一個新的會話 ID,該 ID 會替換之前的會話 ID.
As the the answer at Session lost when switching from HTTP to HTTPS in PHP has concluded, since you are using session.cookie_secure = 1 the cookie that contains the session ID is not transferred when the connection switches from HTTPS to HTTP. At HTTP connection, when you session_start(), PHP creates a new session id, which replaces the previous session id.
答案還提出了一個解決方案,使用查詢字符串傳遞會話 id,然后由頁面獲取.這聞起來有安全漏洞的壞處.別忘了我們最初使用 HTTPS 的原因!
The answer also suggests a solution, pass the session id using query string, which is then picked up by the page. This smells of bad of security flaw. Don't forget the reason why we used HTTPS in the first place!
因此,我建議您的解決方案是將所有 http 請求重定向到 https 對應(yīng)請求.對站點(diǎn)中的所有內(nèi)容使用 HTTPS,從 css、圖像到普通的靜態(tài) html 頁面.這實(shí)際上是每個認(rèn)真對待安全性的應(yīng)用程序都會做的事情.比如使用HTTP訪問github頁面會返回:
So the solution I suggest to you is that you redirect all http request to https counterparts. Use HTTPS for everything in your site, from css, images, to mundane static html pages. This is actually something that every application that is serious about security does. For example, visiting github page using HTTP will return:
HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.67
Date: Sun, 08 May 2011 15:43:01 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: https://github.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.7.67</center>
</body>
</html>
記住您最初使用 HTTPS 的原因,如果您想完全安全,請在所有情況下都使用 HTTPS.
Remember why you used HTTPS in the first place, if you want to be totally secure, use HTTPS for everything.
檢測請求是否為 HTTPS (見這個問題)在引導(dǎo).
Detect if the request is HTTPS or not (See this question) at bootstrap.
如果請求是 HTTP,要么將所有請求重定向到 HTTPS 主頁,或者您可以嘗試解析 $_SERVER['REQUEST_URI'] 并使用 parse_url 將 HTTP 請求重定向到對應(yīng)的 HTTPS 請求 和 http_build_url.
If the request is HTTP, either redirect all requests to HTTPS home page, or you can try parsing $_SERVER['REQUEST_URI'] and redirecting HTTP request to their HTTPS counterpart using parse_url and http_build_url.
第二種替代方案
如果您真的不想對所有內(nèi)容都使用 HTTPS,那么請不要在使用 HTTP 訪問的頁面上session_start().當(dāng)您這樣做時,安全 cookie 將被保留.
If you really really don't want to use HTTPS for everything, then don't session_start() on pages that are accessed with HTTP. Secure cookies will be retained when you do this.
第三種替代方案
另一種解決方案是嘗試通過 IP 地址和用戶代理檢測用戶.這不能保證是準(zhǔn)確的,所以我的建議是對所有事情都使用 HTTPS.例如,即使是普通的靜態(tài)頁面,Paypal 也始終使用 HTTPS.
The other solution is to try and detect the user by IP addresses and user agent. This is not guaranteed to be accurate, so what I suggest is just use HTTPS for everything. Paypal, for example, always use HTTPS even for mundane static pages.
這篇關(guān)于PHP session HTTP to HTTPS 問題的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!