我注意到包括以下几行PHP代码以防止会话固定或劫持似乎导致会话变量不能跨页面持久化。
我的诊断显示,如果删除这些代码行,会话变量将存储在会话文件中,这将解决会话变量持久性问题。
<?php
if (!isset($_SESSION['login']))
{
session_regenerate_id(true);
$_SESSION['login'] = 1;
}
Additional layers of defense to prevent session hijacking
validate_session($_SERVER['SERVER_NAME']);
// These functions are used to defend against session hijacking
function validate_session($url)
{
if (strpos($_SERVER['HTTP_REFERER'], $url) !== 0 ||
isset($_GET['LOGOUT']) ||
$_SERVER['REMOTE_ADDR'] !== $_SESSION['PREV_REMOTEADDR'] ||
$_SERVER['HTTP_USER_AGENT'] !== $_SESSION['PREV_USERAGENT'])
session_destroy();
#time-out logic
session_regenerate_id(true); // generate a new session identifier
$_SESSION['PREV_USERAGENT'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
}
?>
我可以改变什么才能让它发挥作用?