php session.use_trans_sid
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1745984/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
php session.use_trans_sid
提问by Nathan H
I am not clear on the meaning and usage of php's session.use_trans_id .
我不清楚 php 的 session.use_trans_id 的含义和用法。
On the online documentation, it says:
在在线文档上,它说:
the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically. Does this mean it will ALWAYS add the session id? Or only when cookies are not working?
启用运行时选项 session.use_trans_sid,相关 URI 将更改为自动包含会话 ID。这是否意味着它总是会添加会话 ID?还是仅当 cookie 不起作用时?
Will it automatically add it to javascript's window.location or ajax calls?
它会自动将它添加到 javascript 的 window.location 或 ajax 调用中吗?
Also, in the php.ini file, it says:
此外,在 php.ini 文件中,它说:
trans sid support is disabled by default.
Use of trans sid may risk your users security.
Use this option with caution.
- User may send URL contains active session ID
to other person via. email/irc/etc.
- URL that contains active session ID may be stored
in publically accessible computer.
- User may access your site with the same session ID
always using URL stored in browser's history or bookmarks.
http://php.net/session.use-trans-sid
I'm confused, the online docs said that Unless you are using PHP 4.2.0 or later, you need to enable it manually. So why would it be disabled by default? (I'm using php 5).
我很困惑,在线文档说Unless you are using PHP 4.2.0 or later, you need to enable it manually。那么为什么默认情况下它会被禁用?(我正在使用 php 5)。
Also, isn't this feature NECESSARY to handle users with cookies disabled?
此外,对于处理禁用 cookie 的用户来说,此功能不是必需的吗?
回答by meghraj choudhary
You can go with this:
你可以这样做:
if(isset($_COOKIE['session_name'])){
ini_set("session.use_trans_sid",false);
session_start();
///////////////////
//any hard tracking code or hard work goes here
// like $_SESSION['msisdn']="9455366212";
///////////////////
$_SESSION['cookie_support']=1;
}else{
ini_set("session.use_trans_sid",true);
session_start();
$_SESSION['cookie_support']=0;
}
if user try to login then check first for $_SESSION['cookie_support'];try to avoid any sensitive interactions with cookie_support=0
如果用户尝试登录,则首先检查是否$_SESSION['cookie_support'];尝试避免与cookie_support=0
回答by dark?
The risk is that someone could give you link with sid and you would use that link to login and them they would have active session where you have logged in.
风险是有人可以给你 sid 的链接,你会使用该链接登录,他们会在你登录的地方有活动会话。
回答by Sz.
"Does this mean it will ALWAYS add the session id? Or only when cookies are not working?"
“这是否意味着它会一直添加会话 ID?或者仅在 cookie 不起作用时添加?”
- Only when cookies are not working. Plus, if both
session.use_trans_sidandsession.use_cookiesare 1, thensession.use_only_cookiesdecides: 1 will disable URL-rewriting. See this nice article.
- 仅当 cookie 不起作用时。另外,如果
session.use_trans_sid和session.use_cookies都是 1,则session.use_only_cookies决定: 1 将禁用 URL 重写。看到这篇不错的文章。
"Will it automatically add it to javascript's window.location or ajax calls?"
“它会自动将它添加到 javascript 的 window.location 或 ajax 调用中吗?”
- No. PHP does not know what Ajax is, it just rewrites literalURLs in its page output buffer (note how any linkedscripts will break the session as soon as they have a hardcoded URL to the site).
- 不。PHP 不知道 Ajax 是什么,它只是在其页面输出缓冲区中重写文字URL(请注意,一旦链接脚本具有指向站点的硬编码 URL,它们将如何中断会话)。
"Unless you are using PHP 4.2.0 or later, you need to enable it manually"
“除非您使用的是 PHP 4.2.0 或更高版本,否则您需要手动启用它”
- That (indeed confusingly) meant recompilingPHP < 4.2. For PHP5, it's just disabled in the config(for reasons you quoted from php.ini).
- 那(确实令人困惑)意味着重新编译PHP < 4.2。对于 PHP5,它只是在配置中被禁用(出于您从 php.ini 引用的原因)。
"Also, isn't this feature NECESSARY to handle users with cookies disabled?"
“另外,这个功能对于处理禁用 cookie 的用户来说不是必要的吗?”
- Yes, it is. (Unless you provide some custom Javascript + PHP solution for some highly special case with crippled usability & generous trade-offs.)
- 是的。(除非您为一些非常特殊的情况提供一些自定义的 Javascript + PHP 解决方案,这些情况具有残缺的可用性和慷慨的权衡。)
回答by opHASnoNAME
if you enable "use_trans_sid" then the session id is attached to the URL everytime. Iam not sure what happens on an ajax request but i think it will be attached to.
如果您启用“use_trans_sid”,则会话 ID 每次都会附加到 URL。我不确定 ajax 请求会发生什么,但我认为它会附加到。
And yes you need trans_sid when the user has cookies disabled, but its kind of insecure (think about someone is looking on your screen and writes down your session id? :-) ).
是的,当用户禁用 cookie 时,您需要 trans_sid,但它有点不安全(想想有人在看您的屏幕并记下您的会话 ID?:-))。
