我正在使用来自Wikihow.com的PHP安全会话处理使用数据库存储方法并同时处理大量的ajax请求我在teamtreehouse.com上引用bulletproof sessions
我正在全面关注它,但现在仍然可以找到我想要达到的地方。当发出多个ajax请求时,我正在注销,我的数据库被垃圾会话填满。
我也尝试过使用teamtreehouse.com博客上显示的方式,不使用数据库方法,但我仍然只有多个垃圾但是实时会话。
任何人都可以告诉我,我需要做什么,或者我怀疑teamtreehouse.com博客提供的代码是否需要进行任何更改。抱歉不是那么高手,但我想是的。
如果需要任何编码,我一定会提供。
谢谢
会话启动功能以及基于tth博客
的其他功能function start_session($session_name, $secure)
{
$httponly = true; ## if true it makes sure the session cookie is not accessible via javascript.
$session_hash_algo = 'sha512'; ## hash 'algo'rithm to use for the session.
if(in_array($session_hash_algo, hash_algos())) ## check if hash algorithm is available
{
ini_set('session.hash_function',$session_hash_algo); ## temporary sets the value of the given configuration option during execution
}
ini_set('session.hash_bits_per_character', 5); ## sets number of bits per character of hash
ini_set('session.use_cookies', 1); ## Set the session to use cookies
ini_set('session.use_only_cookies', 1); ## force the session to use only cookies and not the URL variable
$cookieParams = session_get_cookie_params();
session_set_cookie_params
(
$cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly
);
if (session_status() == PHP_SESSION_NONE) {
session_name($session_name); ## set the session name
session_start(); ## starts the session
session_regenerate_id(true); ## if true regenerates the session id and deletes the old one,
# it also generates a new encryption key in database
if($this->validateSession())
{
// Check to see if the session is new or a hijacking attempt
if(!$this->preventHijacking())
{
// Reset session data and regenerate id
$_SESSION = array();
$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
$this->regenerateSession();
// Give a 5% chance of the session id changing on any request
} else if(rand(1, 100) <= 5) {
$this->regenerateSession();
}
}
}
}
static protected function preventHijacking()
{
if(!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent']))
return false;
if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
return false;
if( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT'])
return false;
return true;
}
static function regenerateSession()
{
// If this session is obsolete it means there already is a new id
if(isset($_SESSION['OBSOLETE']) || $_SESSION['OBSOLETE'] == true)
return;
// Set current session to expire in 10 seconds
$_SESSION['OBSOLETE'] = true;
$_SESSION['EXPIRES'] = time() + 10;
// Create new session without destroying the old one
session_regenerate_id(false);
// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();
// Set session ID to the new one, and start it back up again
session_id($newSession);
session_start();
// Now we unset the obsolete and expiration values for the session we want to keep
unset($_SESSION['OBSOLETE']);
unset($_SESSION['EXPIRES']);
}
static protected function validateSession()
{
if( isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) )
return false;
if(isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time())
return false;
return true;
}