禁用 cookie 的 PHP 会话,是否有效?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12572134/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP Sessions with disabled cookies, does it work?
提问by Limeni
Today I had skype interview for a job as PHP developer, one of the questions asked was about Cookies and PHP Sessions.
今天我接受了 PHP 开发人员的 Skype 面试,其中一个问题是关于 Cookies 和 PHP Sessions。
The question was, can PHP session be set and read, used, if Cookies are disabled in users Browser?
问题是,如果在用户浏览器中禁用了 Cookie,是否可以设置和读取、使用 PHP 会话?
I told them not, beacuse PHP Sessions by default depends on setting a session cookie. When PHP session starts, new session Cookie is set with default name PHPSESSID, and that cookie holds value of that session id, for example: ftu63d8al491s5gatuobj39gk7 Then on apache server in tmp folder file sess_ftu63d8al491s5gatuobj39gk7 is created and it holds content of that session, for example: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";
我告诉他们不要,因为默认情况下 PHP 会话取决于设置会话 cookie。当 PHP 会话启动时,新会话 Cookie 设置为默认名称 PHPSESSID,该 cookie 保存该会话 ID 的值,例如:ftu63d8al491s5gatuobj39gk7 然后在 tmp 文件夹文件 sess_ftu63d8al491s5gatuobj39gk7 中的 apache 服务器上创建,它包含该会话的示例内容: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";
They told me that's not true, and that you can use PHP Sessions even if user disables cookies in his browser.
他们告诉我这不是真的,即使用户在浏览器中禁用了 cookie,您也可以使用 PHP Sessions。
Then I told them that you can do that, but then session id would be passed through URL as GET variable. And that's not secure and you must set it up in php.ini.
然后我告诉他们你可以这样做,但是会话 ID 将作为 GET 变量通过 URL 传递。这并不安全,您必须在 php.ini 中进行设置。
They were talking how you can use PHP Sessions even if Cookies are disabled in browser. And what if we are building web shop, and some granny uses our web shop and disables cookies and she joust don't care. And that PHP Sessions are great because you can use them even if user disables Cookies. I was like wtf, wtf wtf?!?!
他们正在讨论如何即使在浏览器中禁用了 Cookie 也可以使用 PHP 会话。如果我们正在建立网上商店,并且一些奶奶使用我们的网上商店并禁用 cookie 而她几乎不在乎怎么办。PHP Sessions 非常棒,因为即使用户禁用了 Cookie,您也可以使用它们。我就像wtf,wtf wtf?!?!
I made test with two files, index.php starts session and sets session variables. And then session.php tries to read that session variables.
我用两个文件进行了测试,index.php 启动会话并设置会话变量。然后 session.php 尝试读取该会话变量。
This is how it looks:
这是它的外观:
index.php
索引.php
<p>This is where I start and set php sessions.</p>
<?php
session_start();
$_SESSION['test1'] = "SessionTest1";
$_SESSION['test2'] = "SessionTest2";
?>
<p>This is a link, that starts new HTTP Request, and tries to read session set on this page:</p>
<p><a href="session.php">Read Session</a></p>
session.php
会话文件
<?php
session_start();
var_export($_SESSION);
?>
<p><a href="index.php">Back</a></p>
Now, if you enable cookies in your browser, visit index.php, and the visit session.php , session would be printed out.
现在,如果您在浏览器中启用 cookie,访问 index.php,然后访问 session.php,会话将被打印出来。
But, if you clear your browser history and cookies, and then visit index.php, and then visit session.php, you would see empty array right?
但是,如果您清除浏览器历史记录和 cookie,然后访问 index.php,然后访问 session.php,您会看到空数组,对吗?
So basically my question is, am I right? Can you use PHP sessions if you disable cookies in your browser? And do PHP Session mechanism by default, depends on setting a session COOKIE?
所以基本上我的问题是,我说得对吗?如果您在浏览器中禁用 cookie,您可以使用 PHP 会话吗?并且默认情况下PHP Session 机制依赖于设置会话COOKIE 吗?
Update: I was going mad about this, so I called back the guy I was talking with. And asked him, can PHP session work without cookies by default? The guy said "yes". Then I told him he is wrong and he said: "yes, yes, if you say so..." and start laughing. Then I told him, ok if PHP session can work without setting cookie, how would server know current user/browser session id, if its not stored in a session cookie? (I wanted to see if he knows that session id can be passed as GET variable) And he was quiet for at least 20s, and told me that he is a System Administrator, and that I should ask that the Developer guy. And that he is 43 years old and has huge experience of 13 years in the bussines (he started with 30? wtf?), but he trusts me on this one. And I explained him how Session work and that you can use it without Cookie but then session id is passed as GET variable, and told him I told them that on interview, but they ware telling me no, no no... :S
更新:我对此很生气,所以我给我正在说话的那个人回了电话。并问他,默认情况下,PHP session 可以在没有 cookie 的情况下工作吗?那人说“是”。然后我告诉他他错了,他说:“是的,是的,如果你这么说……”然后开始大笑。然后我告诉他,如果 PHP 会话可以在不设置 cookie 的情况下工作,如果它没有存储在会话 cookie 中,服务器如何知道当前用户/浏览器会话 ID?(我想看看他是否知道会话 ID 可以作为 GET 变量传递)而且他至少沉默了 20 秒,并告诉我他是系统管理员,我应该问那个开发人员。他今年 43 岁,拥有 13 年的商业经验(他从 30 岁开始?wtf?),但他信任我。
So basically, the guy didn't have a clue about PHP and PHP Sessions, and yes he was the one that asked me about sessions telling me that PHP Session can work without cookie, even when I told him it cant be done, and that there is a way to use PHP Sessions without cookies but it won't work by default. He was like, no no no... At the end he told me that he was thinking that sessions can work without cookies because he, as System Admin on his servers, can never see sessions in tmp folder?!?!?
所以基本上,这个人对 PHP 和 PHP Sessions 一无所知,是的,他是那个问我关于 session 的人,告诉我 PHP Session 可以在没有 cookie 的情况下工作,即使我告诉他它不能完成,而且有一种方法可以在没有 cookie 的情况下使用 PHP 会话,但默认情况下它不起作用。他就像,不不不......最后他告诉我他认为会话可以在没有cookie的情况下工作,因为他作为服务器上的系统管理员永远看不到tmp文件夹中的会话?!?!?
Anyway, those guys suck at PHP, there is no way I will accept job offer from them, and after all this I dont think they will offer me a job anyway...
不管怎样,那些家伙很烂 PHP,我不可能接受他们的工作机会,毕竟我认为他们无论如何都不会给我一份工作......
Thanks for all the comments!
感谢所有的评论!
采纳答案by Limeni
"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "
“访问您网站的访问者会被分配一个唯一的 ID,即所谓的会话 ID。这要么存储在用户端的 cookie 中,要么在 URL 中传播。”
回答by Ranjan
If session.use_cookies = 1 (Cookie enabled.)
如果 session.use_cookies = 1(启用 Cookie。)
If session.use_cookies = 0 (Cookie disabled.)
如果 session.use_cookies = 0(禁用 Cookie。)
If session.use_cookies = 1 then session stores the sessionId into cookie. Calling session_id() get the stored sessionId from cookie and saved data into session array will be found on all the pages. If session.use_cookies = 0 In this case session does not store sessionId into cookie and you will get each time a new sessionId using session_id() and data stored into session on other pages will not be found on another pages.
如果 session.use_cookies = 1,则 session 将 sessionId 存储到 cookie 中。调用 session_id() 从 cookie 中获取存储的 sessionId,并将在所有页面上找到保存到 session 数组中的数据。如果 session.use_cookies = 0 在这种情况下 session 不会将 sessionId 存储到 cookie 中,并且每次使用 session_id() 都会获得一个新的 sessionId,并且在其他页面上不会找到存储在 session 中的数据。
回答by Pankaj Chauhan
Yes session will work when cookies is disabled. But first apache check php configuration settings. Like:
是会话将在禁用 cookie 时工作。但首先 apache 检查 php 配置设置。喜欢:
--enable-trans-sid
and
--enable-track-vars
if these value are set true the session will passed by POST automatically.
如果这些值设置为 true,会话将通过 POST 自动传递。
If "--enable-trans-sid" and "--enable-track-vars" values are set to FALSE, we need to pass session id by using the SID constant.
如果“--enable-trans-sid”和“--enable-track-vars”值设置为FALSE,我们需要使用SID常量传递会话ID。
< a href="index.php?<?= SID ?>" >Navigate from here< /a >
Need to set php.ini
需要设置php.ini
ini_set("session.use_cookies", 0);
ini_set("session.use_trans_sid", 1);
回答by LSerni
So basically my question is, am I right?
所以基本上我的问题是,我说得对吗?
Mostly. In the real world: YES.
大多。在现实世界中:是的。
Can you use PHP sessions if you disable cookies in your browser?
如果您在浏览器中禁用 cookie,您可以使用 PHP 会话吗?
You CAN use PHP sessions without cookies, as long as the browser identity is obtained somehow and yields a unique value(and this value is passed to the PHP session layer):
您可以在没有 cookie 的情况下使用 PHP 会话,只要以某种方式获取浏览器身份并产生唯一值(并将该值传递给 PHP 会话层):
- session ID in GET (which is the "standard" PHP way if cookies are not allowed, and the "other" way you described). This value is then propagated automatically by PHP, e.g. added to all A HREF's and so on. Where it is not propagated because the automagical link recognition failed (e.g. complex URL built in Javascript), it is your responsibility to provide accordingly.
- GET 中的会话 ID(如果不允许 cookie,这是“标准”PHP 方式,以及您描述的“其他”方式)。该值然后由 PHP 自动传播,例如添加到所有 A HREF 等。如果由于自动链接识别失败(例如用 Javascript 构建的复杂 URL)而未传播,则您有责任提供相应的信息。
Or - and here we're not in Kansas anymore:
或者 - 我们不再在堪萨斯州了:
- passed among the nonces with Auth Digest (this is a dirty trick, and of course requires that the whole site is behind an Auth-Digest access authentication scheme. And you can no longer use a "dummy auth" (i.e. http://welcome:[email protected]) because some browsers, e.g. Internet Explorer, do not support them anymore for security reasons)
- recognizing the browser some other way ("fingerprinting") (this is normally(1) suicidal)
- Use LSO (Local Shared Objects) to generate a random UUID if it's not there already, and store it so that it can be retrieved on subsequent accesses.
- other ways ( see http://en.wikipedia.org/wiki/Evercookie)
- 使用 Auth Digest 在 nonce 之间传递(这是一个肮脏的技巧,当然需要整个站点都在 Auth-Digest 访问身份验证方案之后。并且您不能再使用“虚拟身份验证”(即http://welcome :[email protected]) 因为某些浏览器,例如 Internet Explorer,出于安全原因不再支持它们)
- 以其他方式识别浏览器(“指纹”)(这通常是(1)自杀)
- 如果尚未存在,则使用 LSO(本地共享对象)生成随机 UUID,并存储它以便在后续访问时可以检索它。
- 其他方式(见http://en.wikipedia.org/wiki/Evercookie)
(1) if you were in a LAN where you can trust the IPs, you could associate a "session" to the user IP. You might enforce a strict "no cookies" policy in a small firm and still have user sessions without resorting to _GET/_POST for your session ID.
(1) 如果您在可以信任 IP 的 LAN 中,则可以将“会话”关联到用户 IP。您可能会在小公司中强制执行严格的“无 cookie”策略,并且仍然有用户会话,而无需对会话 ID 求助于 _GET/_POST。
回答by Rohit Ghotkar
You are right, Session cannot work without cookies. To illustrate this try doing the following actions.
你是对的,没有 cookie,Session 就无法工作。为了说明这一点,请尝试执行以下操作。
- Login To Gmail.
- After login disabled the cookies.
- Refresh the page.
- 登录 Gmail。
- 登录后禁用cookies。
- 刷新页面。
You will be redirected to the login page again as the server cannot identify the session.
由于服务器无法识别会话,您将再次被重定向到登录页面。
- Now again enable the cookies.
- Refresh the page. (Note: Don't click on login button).
- You will be automatically redirected to the Gmail inbox.
- 现在再次启用 cookie。
- 刷新页面。(注意:不要点击登录按钮)。
- 您将被自动重定向到 Gmail 收件箱。
Hence, we can say without cookies session will not work.
因此,我们可以说没有 cookie 会话将无法工作。
Also, If you are trying to login into the gmail( taking as example you can take any website) with diabled cookies then it will message as "Your browser has cookies disabled. Make sure your cookies are enabled and try again."
此外,如果您尝试使用禁用的 cookie登录 gmail(例如,您可以使用任何网站),那么它会显示“您的浏览器禁用了 cookie。确保您的 cookie 已启用,然后重试。”
回答by Mamé
// tell the PHP we want to use cookies from the session
// 告诉 PHP 我们要使用会话中的 cookie
ini_set('session.use_cookies', '0');
ini_set('session.use_only_cookies', '0');
ini_set('session.use_trans_sid','1');
session_start();
// then pass the session ID in the URL(inspect, navigate the network refresh the page you will see in the headers your session ID)
// 然后在 URL 中传递会话 ID(检查,导航网络刷新页面,您将在标题中看到会话 ID)
回答by Sruit A.Suk
If it was me, I would say "Yes"
如果是我,我会说“是”
Since you could store session in form / url somewhere to passed to next page (very bad idea). So, based on his question "can PHP session be set and read, used, if Cookies are disabled in users Browser?"
因为您可以将 session 存储在 form / url 某处以传递到下一页(非常糟糕的主意)。因此,基于他的问题“如果在用户浏览器中禁用了 Cookie,可以设置和读取、使用 PHP 会话吗?”
Then, it should be yes. It can read and used.
那么,应该是。它可以阅读和使用。
However, If user close browser, then it's gone, and that's it. (since that guy didn't ask about this part)
但是,如果用户关闭浏览器,那么它就消失了,仅此而已。(因为那家伙没有问这个部分)
回答by Sagar Patil
Yes.. It will Work
1.PHP will pass one GET parameter in URL with the name PHPSESSID but it can be changed session.name in php.ini file.
2. It add one hidden input in forms with same name.
是的。它会工作
1.PHP 将在 URL 中传递一个名为 PHPSESSID 的 GET 参数,但它可以在 php.ini 文件中更改 session.name。
2.在同名表单中添加一个隐藏输入。
回答by Amir Rezazadeh
You will need to put the session ID in the URL. You will need to make a change in your php.ini file so if you are on a shared host you will need to contact them to see what they will do for you.
您需要将会话 ID 放在 URL 中。您需要对 php.ini 文件进行更改,因此如果您在共享主机上,则需要联系他们以了解他们将为您做什么。
