在 PHP 中的 PHPSESSID cookie 上设置 httpOnly 和安全
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6821883/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Set httpOnly and secure on PHPSESSID cookie in PHP
提问by Steve
Whats the recommended way to set httponly and secure flags on the PHPSESSID cookie?
在 PHPSESSID cookie 上设置 httponly 和安全标志的推荐方法是什么?
I found http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly. Any better suggestions?
我找到了http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly。有什么更好的建议吗?
thanks
谢谢
采纳答案by Johan
In my opinion the best would be: http://www.php.net/manual/en/function.session-set-cookie-params.php
在我看来最好的是:http: //www.php.net/manual/en/function.session-set-cookie-params.php
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )
回答by user2741089
回答by allieferr
I was unable to get the secure flag working with session_set_cookie_params(...), so what I did was, after session_start()set the PHPSESSID cookie, I reset it with setcookie(...). The final parameter, true, makes the cookie have a secure flag.
我无法获得安全标志有工作session_set_cookie_params(...),所以我所做的是,后session_start()设置PHPSESSID饼干,我重置setcookie(...)。最后一个参数 true 使 cookie 具有安全标志。
<?php
session_start();
$currentCookieParams = session_get_cookie_params();
$sidvalue = session_id();
setcookie(
'PHPSESSID',//name
$sidvalue,//value
0,//expires at end of session
$currentCookieParams['path'],//path
$currentCookieParams['domain'],//domain
true //secure
);
?>
When I checked the PHPSESSID cookie in Firefox, its 'Send for' property was set to 'Encrypted connections only' and its 'Expires' property was set to 'At end of session'.
当我在 Firefox 中检查 PHPSESSID cookie 时,它的“发送对象”属性设置为“仅加密连接”,其“过期”属性设置为“会话结束时”。
回答by hyjiacan
I use Apache httpd over HTTPS, set session.cookie_httponly = 1& session.cookie_secure = 1works for me.
我通过 HTTPS 使用 Apache httpd,设置session.cookie_httponly = 1并session.cookie_secure = 1为我工作。
回答by Hein
A more elegant solution since PHP >=7.0
自PHP >=7.0以来更优雅的解决方案
session_start(['cookie_lifetime' => 43200,'cookie_secure' => true,'cookie_httponly' => true]);
回答by MarcoZen
Using .htaccess for this purpose just slows down your application.
为此目的使用 .htaccess 只会减慢您的应用程序的速度。
I think its better to add this snippet in your main config file ( example config.php ) or main include file ( example global.php )
我认为最好将此代码段添加到您的主配置文件(例如 config.php )或主要包含文件(例如 global.php )中
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Prevent Session ID from being passed through URLs
ini_set('session.use_only_cookies', 1);
If you are using https:// instead of http:// , then also do
如果您使用的是 https:// 而不是 http:// ,那么也这样做
// Uses a secure connection (HTTPS)
ini_set('session.cookie_secure', 1);
This method is also suitable for thos who dont have access to php.ini
此方法也适用于无法访问 php.ini 的人
回答by Manik Malhotra
For a WordPress website, I fixed it using the following PHP code:
对于 WordPress 网站,我使用以下 PHP 代码修复了它:
add_action('init', 'start_session', 1);
function start_session() {
if(!session_id()) {
session_start();
$currentCookieParams = session_get_cookie_params();
$sidvalue = session_id();
setcookie(
'PHPSESSID',//name
$sidvalue,//value
0,//expires at end of session
$currentCookieParams['path'],//path
$currentCookieParams['domain'],//domain
true //secure
);
}
}
add_action('wp_logout','end_session');
add_action('wp_login','end_session');
function end_session() {
session_destroy();
}
Paste the code in the functions.php file.
将代码粘贴到functions.php 文件中。
回答by Trac Nguyen
If you are using Apache, try this on your .htaccess
如果您使用的是 Apache,请在您的 .htaccess 上试试这个
php_value session.cookie_httponly 1
