有人看到 CI 2.1.4 的修改有问题吗?该类是为 1.7.2 ( Github link ) 编写的
问题:
1.regenerate_id的用途是什么?是 session ID 轮换吗?
2.session_write_close的潜在问题是什么(如评论中所示)
3.该类是否完全实现了 CI 2.1.4 的 session 类?
4.为什么过期时使用sess_expiration而不是sess_time_to_update? (当浏览器关闭时, session cookie 就会过期。sess_time_to_update 似乎更适合 session 轮换。
5.是否有任何已知的错误?
6.如果我在通配符子域名(site1.domain.com、site2.domain.com...等)上运行应用程序,cookie 是否仅适用于该子域名?我主要关心的是 setcookie( session_name(), '', time()-42000, '/');
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
/**
* Session class using native PHP session features and hardened against session fixation.
*
* @package CodeIgniter
* @subpackage Libraries
* @category Sessions
* @author Dariusz Debowczyk, Matthew Toledo
* @link http://www.philsbury.co.uk/index.php/blog/code-igniter-sessions/
*/
class CI_Session {
var $flashdata_key = 'flash'; // prefix for "flash" variables (eg. flash:new:message)
function CI_Session()
{
$this->object =& get_instance();
log_message('debug', "Native_session Class Initialized");
$this->_sess_run();
}
/**
* Regenerates session id
*/
function regenerate_id()
{
// copy old session data, including its id
$old_session_id = session_id();
$old_session_data = $_SESSION;
// regenerate session id and store it
session_regenerate_id();
$new_session_id = session_id();
// switch to the old session and destroy its storage
session_id($old_session_id);
session_destroy();
// switch back to the new session id and send the cookie
session_id($new_session_id);
session_start();
// restore the old session data into the new session
$_SESSION = $old_session_data;
// update the session creation time
$_SESSION['regenerated'] = time();
// session_write_close() patch based on this thread
// http://www.codeigniter.com/forums/viewthread/1624/
// there is a question mark ?? as to side affects
// end the current session and store session data.
session_write_close();
}
/**
* Destroys the session and erases session storage
*/
function destroy()
{
unset($_SESSION);
if ( isset( $_COOKIE[session_name()] ) )
{
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
}
/**
* Alias for destroy(), makes 1.7.2 happy.
*/
function sess_destroy()
{
$this->destroy();
}
/**
* Reads given session attribute value
*/
function userdata($item)
{
if($item == 'session_id'){ //added for backward-compatibility
return session_id();
}else{
return ( ! isset($_SESSION[$item])) ? false : $_SESSION[$item];
}
}
/**
* Sets session attributes to the given values
*/
function set_userdata($newdata = array(), $newval = '')
{
if (is_string($newdata))
{
$newdata = array($newdata => $newval);
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
$_SESSION[$key] = $val;
}
}
}
/**
* Erases given session attributes
*/
function unset_userdata($newdata = array())
{
if (is_string($newdata))
{
$newdata = array($newdata => '');
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
unset($_SESSION[$key]);
}
}
}
/**
* Starts up the session system for current request
*/
function _sess_run()
{
session_start();
$session_id_ttl = $this->object->config->item('sess_expiration');
if (is_numeric($session_id_ttl))
{
if ($session_id_ttl > 0)
{
$this->session_id_ttl = $this->object->config->item('sess_expiration');
}
else
{
$this->session_id_ttl = (60*60*24*365*2);
}
}
// check if session id needs regeneration
if ( $this->_session_id_expired() )
{
// regenerate session id (session data stays the
// same, but old session storage is destroyed)
$this->regenerate_id();
}
// delete old flashdata (from last request)
$this->_flashdata_sweep();
// mark all new flashdata as old (data will be deleted before next request)
$this->_flashdata_mark();
}
/**
* Checks if session has expired
*/
function _session_id_expired()
{
if ( !isset( $_SESSION['regenerated'] ) )
{
$_SESSION['regenerated'] = time();
return false;
}
$expiry_time = time() - $this->session_id_ttl;
if ( $_SESSION['regenerated'] <= $expiry_time )
{
return true;
}
return false;
}
/**
* Sets "flash" data which will be available only in next request (then it will
* be deleted from session). You can use it to implement "Save succeeded" messages
* after redirect.
*/
function set_flashdata($newdata = array(), $newval = '')
{
if (is_string($newdata))
{
$newdata = array($newdata => $newval);
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
$flashdata_key = $this->flashdata_key.':new:'.$key;
$this->set_userdata($flashdata_key, $val);
}
}
}
/**
* Keeps existing "flash" data available to next request.
*/
function keep_flashdata($key)
{
$old_flashdata_key = $this->flashdata_key.':old:'.$key;
$value = $this->userdata($old_flashdata_key);
$new_flashdata_key = $this->flashdata_key.':new:'.$key;
$this->set_userdata($new_flashdata_key, $value);
}
/**
* Returns "flash" data for the given key.
*/
function flashdata($key)
{
$flashdata_key = $this->flashdata_key.':old:'.$key;
return $this->userdata($flashdata_key);
}
/**
* PRIVATE: Internal method - marks "flash" session attributes as 'old'
*/
function _flashdata_mark()
{
foreach ($_SESSION as $name => $value)
{
$parts = explode(':new:', $name);
if (is_array($parts) && count($parts) == 2)
{
$new_name = $this->flashdata_key.':old:'.$parts[1];
$this->set_userdata($new_name, $value);
$this->unset_userdata($name);
}
}
}
/**
* PRIVATE: Internal method - removes "flash" session marked as 'old'
*/
function _flashdata_sweep()
{
foreach ($_SESSION as $name => $value)
{
$parts = explode(':old:', $name);
if (is_array($parts) && count($parts) == 2 && $parts[0] == $this->flashdata_key)
{
$this->unset_userdata($name);
}
}
}
}
?>
最佳答案
1.What is the purpose of regenerate_id? Is it session id rotation?
用例是session fixation预防。 NativeSession 根据 NativeSession::$session_id_ttl 属性值每 X 秒重新生成一次 session ID。它减少了 session 劫持的影响,因为“被盗” session ID 会过期,并在配置时间后使用 regerate_id() 重新生成。
2.What is the potential problem with session_write_close (as indicated in comment)
一般来说,session_write_close() 用于在 session 的所有更改完成后立即摆脱 session 写锁定。这可能会导致多帧应用程序加载速度更快(因为更快地允许 session 写入访问)。
您不应添加带有 session_write_close() 的行,因为它会阻止 session flashdata 机制正常工作。
3.does this class fully implement session class for CI 2.1.4?
不完全是,但应该可以将其用作 CI_Session 的直接替代品。我将 NativeSession 与 CI2 一起用于 2 个生产应用程序,没有任何问题。
如果您正在寻找可提供与 NativeSession 类似功能的受支持 CI session 处理程序,请检查 CI2 Github 上的 CI_Session_native。我检查了代码,看起来它部分基于 NativeSession。它还包含一些安全改进。
4.Why is sess_expiration used instead of sess_time_to_update for expiration? (Session cookie expires when browser is closed. sess_time_to_update would seem like a better fit for session rotation.
您似乎指的是 CI2 session 机制。
- CI2 中的 sess_expiration 允许设置用户上次事件后 session 过期之前的特定时间(以秒为单位)
- CI2 中的 sess_time_to_update 允许设置用户上次事件后强制重新生成 session ID 的时间(以秒为单位)
NativeSession 是在 CI2 之前开发的,它使用与 CI Session 不同的参数。
- session_ttl 相当于 CI2 session 处理程序中的 sess_expiration
- session_id_ttl 几乎相当于 CI2 session 处理程序中的 sess_time_to_update(NativeSession 不关心上次用户的事件 - 仅计算自上次 session 重新生成以来的时间)
5.Are there any known bugs?
我不知道什么,尽管它当然可能包含错误。
6.If I run an application on a wildcard subdomian (site1.domain.com, site2.domain.com...etc, will the cookies only apply to that subdomain? My main concern is with setcookie(session_name(), '', time()-42000, '/');
来自PHP docs :“可用于较低域(例如“example.com”)的 Cookie 将可用于较高级子域(例如“www.example.com”)。”
我将此代码与处理子域的应用程序一起使用,没有任何问题。
关于php - Native-session 针对代码点火器 2.1.4 进行了修改...这有意义吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24299433/