当我将会话重写为类时 - 会话在每个请求上重新生成。 (此外,我添加了params到cookies,但现在我禁用了它们。)
我有一个会话,作为一个包含文件,我没有给cookie添加任何参数。它工作正常。
我只在localhost上试试。
我的路径不标准 - 我使用一种MVC和.htaccess文件将url转换为Controller,Action和Parameters。
的.htaccess 选项-MultiViews 选项 - 索引
.com
这意味着来自Options +FollowSymlinks
RewriteEngine on
RewriteBase /public/
IndexIgnore *
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteCond %{ENV:REQUEST_FILENAME} !-d
RewriteCond %{ENV:REQUEST_FILENAME} !-f
RewriteCond %{ENV:REQUEST_FILENAME} !-l
RewriteRule ^index.php?(.+)$ index.php?url=$1 [QSA,L]
将被提取www.domain/public/index.php/controllerName/actionName/parameters
我的课程班级:
$_REQUEST['url'] = controllerName/actionName/parameters
在讨论会议时,我得到以下内容:
1)在函数ownDealSession中,我回显“462 ownDealSession,_SESSION =”;的print_r($ _ SESSION);
<?php
namespace nms;
use Bundle\SecureC\secureTr; //generates random string
class SessionClass {
use secureTr;
private $action; //current action
private $path; //current path
private $title;
private $msgsessEnd;
//part of OauthSession entity
private $sessName; //session name is the variable in the cookie
//The session name is reset to the default value stored in session.name at request startup time.
//Thus, you need to call session_name() for every request (and before session_start()
//or session_register() are called).
private $timelimit;
private $domain;
private $securePath;
private $ifhttps;
private $ifhttponly;
private $sesdata;
private $sesDataArr;
private $sessCount;
private $salt;
private $sesskey;
private $redirToken;
private $sessLooseIp;
private $sessLooseAgent;
private $sessProxyIp;
private $sessStart;
private $sessLastRestart;
private $sessEnd;
private $serverAddrArr;
public function __construct($sessArr=[]) {
$this->serverAddrArr = [];
$this->serverAddrArr [] = $_SERVER['SERVER_ADDR'];
$this->serverName = [];
$this->serverName[] = $_SERVER['SERVER_NAME'];
$status = session_status();
//PHP_SESSION_DISABLED - 0 if sessions are disabled.
//PHP_SESSION_NONE - 1 if sessions are enabled, but none exists.
//PHP_SESSION_ACTIVE -2 if sessions are enabled, and one exists.
echo "<br><br> 96 Sessiong.php constructor status =". $status;
if( $status== 'PHP_SESSION_ACTIVE' || $status==2 ) {
$this->sessId = session_id();
} else {
$this->sessId = false;
}
$this->timelimit = !empty($sessArr['timelimit']) ? $sessArr['timelimit'] : SESSION_TIMELIMIT;
$this->domain = !empty($sessArr['domain']) ? $sessArr['domain'] : $_SERVER['HTTP_HOST']; //
if(empty($domain)) { $domain = $_SERVER['SERVER_NAME']; }
if(empty($domain)) { $domain = DOMAIN_wwwNAME; }
$this->path = !empty($sessArr['curPath']) ? PREP.$sessArr['curPath'] : COOKIE_PATH;
$this->ifhttps = (HTT == 'https://') ? true : isset($_SERVER['HTTPS']);
$this->ifhttps = isset($sessArr['ifhttps']) ? $sessArr['ifhttps'] : $this->ifhttps;
$this->ifhttponly = isset($sessArr['ifhttponly']) ? $sessArr['ifhttponly'] : COOKIE_HTTPONLY;
$this->sessLooseIp = long2ip(ip2long($_SERVER['REMOTE_ADDR']) & ip2long("255.255.0.0"));
//check the beginning of string, because end may change, depending on device rotation on mobile and iPad
$this->sessLooseAgent = substr($_SERVER['HTTP_USER_AGENT'],0,25);
//$redirToken = md5( uniqid(microtime(), true) );
//$this->redirToken = 'rt_**_'. $redirToken .'_**_'. $this->genRandomStr(8);
$this->data = isset($sessArr['data']) ? $sessArr['data'] : []; //data here is vdArr;
//these are used for custom sessions, like payment session
//tile - payment
//msgsessEnd - Please start the payment from the beginning, because of long inactivity your data was lost.
//you also can provide another timelimit
$this->title = isset($sessArr['title']) ? $sessArr['title'] :""; //data here is vdArr;
$this->msgsessEnd = isset($sessArr['msgsessEnd']) ? $sessArr['msgsessEnd'] : 'After longer inactivity time you was log-out. Please login to continue'; //data here is vdArr;
$this->ownDealSession(); //starts if needed
}
//not filly finished, because my application use javascript
public function checkCookiesEnabled ($givArr) {
setcookie("test_cookie", "test", time() + 3600, '/');
$actionName = isset($givArr['actionName']) ? $givArr['actionName'] :
$this->htt->safeRedirct('security/checkcookie', true, true, [ 'cururl'=> $actionName ] );
}
public function ownSetCookieParams() {
if( $this->ifhttponly) {
ini_set("session.cookie_httponly", 1);
$params = session_get_cookie_params();
//echo "<br><br> 21 params after ini_set ="; print_r($params);
}
//Set cookie parameters defined in the php.ini file.
//The effect of this function only lasts for the duration of the script.
//Thus, you need to call session_set_cookie_params()
//for every request and before session_start() is called.
// Set the default secure value to whether the site is being accessed with SSL
session_set_cookie_params( $this->timelimit, $this->path, $this->domain, $this->ifhttps, $this->ifhttponly );
$params = session_get_cookie_params();
echo "<br><br> 21 Sessiong, cookie params after session_set_cookie_params ="; print_r($params);
// session_set_cookie_params ( int $lifetime
// [, string $path [, string $domain [,
// bool $secure = false - If TRUE cookie will only be sent over secure connections.
// [, bool $httponly = false - PHP will attempt to send the httponly flag when setting the session cookie.
} //function ownSetCookieParams($cooArr) {
public function ownSetCookie() {
//$cooArr= [ string $name [, string $value = "" [, int $expire = 0
//[, string $path = "" [, string $domain = "" [,
//bool $secure = false [, bool $httponly = false ]]]]]] ]
$params = session_get_cookie_params();
echo "<br><br> 21 Sessiong, cookie params after session start ="; print_r($params);
$this->sessid = session_id();
setcookie( $this->sessName, $this->sessid, $this->timelimit, $this->path, $this->domain, $this->ifhttps );
$params = session_get_cookie_params();
echo "<br><br> 21 Sessiong, cookie params after setcookie ="; print_r($params);
}
public function genRedirToken() {
$this->redirToken = 'random string , most probably jwt token';
$_SESSION['rt'] = $this->redirToken;
return $this->redirToken;
}
public function ownSetMainSessionParams($sesArr=[]) {
$now = time(); // seconds
$timelimit = !empty($sesArr['timelimit']) ? $sesArr['timelimit'] : $this->timelimit;
$_SESSION['sessStart'] = $now;
$_SESSION['sessEnd'] = $now + $timelimit;
$_SESSION['userId'] = !empty($sesArr['userId']) ? $sesArr['userId'] : USER_ANONYMOUS_ID;
$_SESSION['username'] = !empty($sesArr['username']) ? $sesArr['username'] : USER_ANONYMOUS_NAME;
$_SESSION['roles'] = !empty($sesArr['roles']) ? $sesArr['roles'] : [ USER_ANONYMOUS_ROLES ];
//$this->genRedirToken(); //$_SESSION['rt'] = $this->redirToken; $this->redirToken=generated str...
$_SESSION['sessLooseIp'] = long2ip(ip2long($_SERVER['REMOTE_ADDR']) & ip2long("255.255.0.0"));
$_SESSION['sessLooseAgent'] = substr($_SERVER['HTTP_USER_AGENT'],0,25);
}
// https://wblinks.com/notes/secure-session-management-tips/
public function checkSession ($vdArr=[]) {
$errSesArr = [];
//- FINISH TO IMPLEMENT - check url parameters - must be part of custom request
// but also applicable here .... .
//- FINISH TO IMPLEMENT
//not always applicable, applicable only in case if not redirect
//but i redirect only to login, logout, chars exercise, error, thus must be within these
//additionally during redirection there are only lang/redirToken paramemters, not more - double check parameters
//if ( isset($vdArr['path'] ) && ($_SESSION['prevPage'] != $vdArr['path']) ){
// $errSesArr [] = "Path is different"; // means different browser
//}
//double check, because buffering may change path and PHP_SELF value !
//$_SERVER['PHP_SELF'] in a script at the address http://example.com/foo/bar.php would be /foo/bar.php.
//The __FILE__ constant contains the full path and filename of the current (i.e. included) file. If PHP
if(!empty($vdArr['path'])) {
if( 'public/index.php/'.$vdArr['path'] != $_SERVER['PHP_SELF'] ) {
$errSesArr [] = "Path is different"; // means different browser
}
}
if ($_SESSION['sessLooseIp'] != long2ip(ip2long($_SERVER['REMOTE_ADDR']) & ip2long("255.255.0.0")) ) {
$errSesArr [] = "Loose Ip different"; // means different country
}
if ( $_SESSION['sessLooseAgent'] != substr($_SERVER['HTTP_USER_AGENT'],0,25) ){
$errSesArr [] = "Useragent different"; // means different browser
}
if ( (!empty($vdArr['rt']) && !empty($_SESSION['rt']) && $_SESSION['rt'] != $vdArr['rt'])
|| ( $_SESSION['sessCount'] == 0 && empty($vdArr['rt']) )// the first request, rt is not set.
){
$errSesArr [] = "Session token is different"; // means different browser
}
//server IP
if( !in_array( $_SERVER['SERVER_ADDR'], $this->serverAddrArr ) ){
$errSesArr[] = "Server address ".$_SERVER['SERVER_ADDR']." is not amont safe listed. Contact the administrator"; // means different browse
}
//if( $_SERVER['SERVER_NAME'] != $this->serverName ) {
if( !in_array( $_SERVER['SERVER_NAME'], $this->serverName ) ){
$errSesArr[] = "Server name ".$_SERVER['SERVER_NAME']." is not the one considered to be safe.";
}
if ( $_SESSION['sessionId'] !== session_id()) {
$errSesArr[] = "Session ID ". session_id() ." is invalud.";
}
//report error,
//record IP and other paramters commented-out below
if( !empty($_SESSION['prevPath']) && ($_SESSION['prevPath']==$vdArr['path'] ) ) {
//correct redirections are to ErrArr from any page, also
echo "<br><br> Sessiong, redirection. HERE must be redirection table check";
} else {
echo "<br><br> Sessiong, no redirection";
}
// redirection - special function checking possible redirection from given MAP
//echo "<br><br>Sesssion.php 61 vdArr=<br>"; var_dump($vdArr);
//echo "<br><br>Sesssion.php 62 Session=<br>";var_dump($_SESSION);
if( !empty($vdArr['rt']) && ($vdArr['rt']===$_SESSION['rt']) ) {
//proceed, everything is alright with redirection
echo "<br> 261 Session.php everyhting is alright with redirection";
}
//generate an error, record ip.
else {
//own_session_destory()
echo '<br><br> 261 Session.php, you was redirected from wrong page';
}
if( !empty($errSesArr) ) {
//$this->own_logout($errSesArr);
echo "<br><br> FINISH implement, session.php 272 !empty(errSesArr)";
print_r($errSesArr);
$errcode = md5( uniqid(microtime(), true) ) . $this->genRandomStr(5) ;
$msgErr = 'It was detected suspicious activities. Please re-login to continue or contact the administrator with err number :'.$errcode ;
//delete session, create a new session
$this->ownSetMainSessionParams( [ 'msgErr'=>$msgErr ] );
//redirect
}
// includes ownSessionDestroy(); , ownSessionStart(); userMsg, own_logout(), htt->login
} //function checkSession () {
public function ownSessionDestroy() {
//https://wblinks.com/notes/secure-session-management-tips/
setcookie( $this->sessName, $this->sessionId, 1); //The correct way to clear a cookie is to just pass in 1 as the expiry time.
session_unset();// Same as $_SESSION = array(); Destroy session on disk
session_destroy();
}
public function ownDealExpiredSession() {
$this->ownSessionDestroy();
$this->ownSessionStart(); //generates a new redirToken
$msgErr = $this->msgsessEnd;
//$this->ownSetMainSessionParams( [ 'msgErr'=>$msgErr ] );
echo "<br> 345 Session.php, session expired redirecting to login";
} // public function ownDealExpiredSess() {
public function ownSessionStart() {
//ownCheckCookiesEnabled();
$this->ownSetCookieParams();
session_start();
$_SESSION['sessCount'] = 0;
//$_SESSION['valid_id'] = session_id();
$this->sessionId = session_id();
$_SESSION['sessionId'] = $this->sessionId;
// $this->ownSetCookie();
$this->ownSetMainSessionParams(); // does not generete redirToken
echo "<br><br> 427 sessiong.php, After ownSessionStart _SESSION="; print_r($_SESSION);
} //function ownSessionStart() {
public function ownContinueSession() {
//if( ( !empty($_SESSION['start'])) && ( $now <= ($_SESSION['start'] + $timelimit) ) ) {
$now = time();
$_SESSION['sessStart'] = $now;
$_SESSION['sessEnd'] = $now + $this->timelimit;
$_SESSION['sessCount']++; //counts how many times session was activated
}
public function ownRegenerateSessionId() {
$status = session_status();
echo "<br><br> 448 Sessiong.php, ownRegenerateSessionId session_status=". $status;
if( $status == PHP_SESSION_ACTIVE || $status ==2 ) {
$oldSession = $_SESSION;
echo "session.php session is not expired, oldSession="; print_r($oldSession);
echo "session.php session is not expired, oldSessionId=".$this->sessionId;
session_regenerate_id(true); //this destroys the old session, but others says it is wrong
$this->sessionId = session_id();
$_SESSION = $oldSession;
//$_SESSION['validId'] = $this->sessionId;
//regenerates redirToken
echo "session.php session is not expired, newSession="; print_r($_SESSION);
echo "session.php session is not expired, newSessionId=" .$this->sessionId;
}
}
public function ownDealSession() {
// $_SESSION['rt'] = $token;
// Redir token
$now = time();
//token to be retrieved from all redirections, to be compared if correct - part of this file
echo "<br><br> 462 ownDealSession, _SESSION="; print_r($_SESSION);
echo "<br>ownDealSession now=" . $now;
if(!isset($_SESSION) || empty($_SESSION) ) {
echo "<br><br> 465 Sessiong.php ownSessionStart";
$this->ownSessionStart();
echo "<br><br> case not set-empty, _SESSION="; print_r($_SESSION);
//if (!empty($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-86400, 'https://www.typejoy.biz/'); }
}
// *** SESSION ALREADY EXISTS, but exceed the time limit
else if ( !empty($_SESSION['sessStart']) && !empty($_SESSION['sessEnd']) && ( $now > intval($_SESSION['sessEnd'])) ) {
echo "<br>ownDealSession ase (!empty sessStart) and (now>sessEnd),now=" . $now;
$this->ownDealExpiredSession();
echo "<br><br> case (!empty sessStart) and (time>sessEnd), _SESSION="; print_r($_SESSION);
}
else if( !empty($_SESSION['sessStart']) && !empty($_SESSION['sessEnd']) && ( $now <= intval($_SESSION['sessEnd']) ) ) {
echo "<br><br>474 Sessiong.php (!empty sessStart) and (now<=sessEnd) ";
echo "<br>ownDealSession now=" . $now;
$this->ownContinueSession();
//$bsafe = $this->checkSession($vdArr); //redirect here
// $this->ownRegenerateSessionId();
$this->genRedirToken();
echo "<br><br> case (!empty sessStart) and (now<=sessEnd), _SESSION="; print_r($_SESSION);
}// elseif( ( !empty($_SESSION['start'])) && ( $now <= ($_SESSION['start'] + $timelimit) ) ) {
else {
echo "<br><br>481, Sessiong not clear case";
echo "<br>ownDealSession sessStart=" . $_SESSION['sessStart'];
echo "<br>ownDealSession now=" . $now;
echo "<br>ownDealSession sessEnd=" . $_SESSION['sessEnd'];
}
$params = session_get_cookie_params();
echo "<br><br> 508 Sessiong, cookie params in the end of ownDealSession ="; print_r($params);
} //public function dealSession() {
public function setIfEmpty($givArr){
$retFull=[];
foreach($givArr as $k=>$v) {
if(empty($_SESSION[$k])) { $_SESSION[$k]=$v; }
else { $retFull[] = $k; }
}
return $retFull; //returns array with keys which have values in _SESSION
}
public function set($givArr) {
foreach($givArr as $k=>$v) {
$_SESSION[$k]=$v;
}
}
//if( isset($_SESSION['curPath']) ) { $_SESSION['prevPath'] = $_SESSION['curPath']; }
//if( isset($_SESSION['curAction']) ) { $_SESSION['prevAction'] = $_SESSION['curAction']; }
//$this->sess->setCond( [
// [ 'vars'=> [ 'curPath'=> $vdArr['path'] ], 'cond'=> isset($_SESSION['curPath']) ],
// [ 'vars'=> [ 'curAction'=>$vdArr['action']], 'cond'=> isset($_SESSION['curAction']) ],
// ] );
public function setCond($givArr) {
foreach($givArr as $cond) {
if($cond['cond']) {
foreach($cond['vars'] as $k=>$v) {
$_SESSION[$k]=$v;
}}}}
} //
2)在我创建新会话后的函数ownDealSession中
Notice: Undefined variable: _SESSION in ...\Sessiong.php on line 477
3)在我创建新会话
之后的函数ownDealSession中sessiong.php, After ownSessionStart _SESSION=Array ( [sessCount] => 0 [sessionId] => l89mnggsjmpgtp5n2dqsuo2rm6 [sessStart] => 1494406265 [sessEnd] => 1494409865 [userId] => 25 [username] => anon [roles] => Array ( [0] => IS_AUTHENTICATED_ANONYMOUSLY ) [sessLooseIp] => 0.0.0.0 [sessLooseAgent] => Mozilla/5.0 (Windows NT 1 [rt] => 'random string , most probably jwt token' [path] => democurpath [action] => democur30 ...