当前位置: 动力学知识库 > 问答 > 编程问答 >

php - session_set_cookie_params() setting two cookies after redirect

问题描述:

I'm using a slightly modified version of the login scrips found here, and have run into behavior I think is coming from session_set_cookie_params() that I do not understand.

I am using sessions, cookies, and header() to redirect users to a login page, then back to the page they requested. My problem was that, even though the initial page and the login page use the same function to handle sessions and cookies, two separate cookies were being set; one for www.example.com and one for example.com. This was preventing a session variable set on the initial page from being read after login.

Here is an example of code from any requested page:

requireSSL();

sec_session_start();

if(login_check($mysqli) == false) {

$_SESSION['origURL'] = $_SERVER['REQUEST_URI'];

header('Location: https://www.example.com/login.php');

exit();

}

Here are the functions:

function requireSSL() {

if($_SERVER["HTTPS"] != "on") {

header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);

exit();

}

}

function sec_session_start() {

$session_name = 'sec_session_id'; // Set a custom session name

$secure = true; // Set to true if using https.

$httponly = true; // This stops javascript being able to access the session id.

ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.

$cookieParams = session_get_cookie_params(); // Gets current cookies params.

session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);

session_name($session_name); // Sets the session name to the one set above.

session_start(); // Start the php session

session_regenerate_id(true); // regenerated the session, delete the old one.

}

Although I was able to "fix" this behavior by explicitly stating a domain in session_set_cookie_params() (e.g. "example.com"), I would love to understand why two cookies were being set in the first place. Thanks!

网友答案:

Why : Because example.com and www.example.com are two different domains for the browser.


example.com 

is a higher level domain.

www.example.com 

is a lower level domain, at example.com

Setting your cookies to the higher domain by:

setcookie($name, $value, $expire, $path, 'example.com');

Also for the session cookie by :

session_set_cookie_params($lifetime, $path, 'example.com'); 

Likewise solves the problem because of that.

So they will be valid for both www.example.com and example.com

Take a look at the domain definition on the php manual for setcookie function

Warning: High level domain cookies are valid and accessible by all pages at lower levels. Cookie for example.com will be accesible from mysubdomain.example.com too.

So if that is not wanted, you should differentiate the cookie domains.


IMHO:

header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);

Instead of sending the header, echo it to see what is going on...

分享给朋友:
您可能感兴趣的文章:
随机阅读: