在 zend 框架中传递和恢复会话 ID
首先,是的,我知道这是一个很大的安全问题NONO。但场景是这样的;
在网上商店结账时,我使用支付网关,它可以通过他们的 SSL 代理我的结账表格。
(以下网址只是理论,其他网址适用于该应用程序)
它的工作方式是,网站将用户重定向到他们的 https://gateway.org/secure-tunnel.php,并在像这样的查询 ?url=http://myshop.com/cc-form.php < ;- 需要进行 urlencode 编码。
安全隧道请求 url - 在文档中的 url 上施展一些魔法 - 并将其显示给用户。
现在我想将会话 ID 传递到 cc-form.php url,并使该部分正常工作。但请求的页面不会获取传递的会话 ID。
对此有什么想法吗?
以下内容来自我的 application.ini
resources.session.name = UPSSESSID
resources.session.save_path = APPLICATION_PATH "/../data/session"
resources.session.use_only_cookies = off
resources.session.referer_check = off
resources.session.remember_me_seconds = 864000
另外,在研究时,我发现 Suoshin 扩展可能会导致一些问题,因此我已将其添加到 .htaccess
php_flag suhosin.session.cryptua off
我使用付款表单的路由
$this->_helper->url->url(array(session_name() => Zend_Session::getId()), 'payment')
编辑:可能的,相当狡猾的解决方案
实际上,我通过将其插入引导文件中的 _initApplication() 来成功恢复会话。这是相当狡猾的,所以如果有人知道更好的 - 更像 ZF 的 - 方法,请提出建议!
if(isset($_GET[$appConfig->resources->session->name])) {
session_id($_GET[$appConfig->resources->session->name]);
}
编辑:DOH!
好吧..事实证明以前的编辑是不需要的。就在我将前面的行添加到引导程序之前,我还更改了 url 布局。
将其从 /pay/UPSSESSID/{session-id-here} 更改为 /pay?UPSSESSID={session-id-here} - 这实际上是问题:(
现在我已经从引导程序中删除了这些行,并且正确恢复了 sessionId。
我的错误!
First, yes i know this is a big security NONO. But the scenario is this;
In the checkout of a webshop i use a payment-gateway, which can proxy my checkout form through their SSL.
(following url's is just the theory, other urls apply for the application)
The way it works, website redirects user to their https://gateway.org/secure-tunnel.php passing a url in the query like this ?url=http://myshop.com/cc-form.php <- needs to be urlencoded.
The secure-tunnel requests the url - sprinkle some magic on url in the document - and shows it to the user.
Now i want to pass the session ID to the cc-form.php url, and got that part working. BUT the requested page don't pick up the session ID that is passed.
Any ideas on that?
The following is from my application.ini
resources.session.name = UPSSESSID
resources.session.save_path = APPLICATION_PATH "/../data/session"
resources.session.use_only_cookies = off
resources.session.referer_check = off
resources.session.remember_me_seconds = 864000
Also while researching i found that the Suoshin extension could be causing some problems, so i have added this to the .htaccess
php_flag suhosin.session.cryptua off
I use a route to my payment form
$this->_helper->url->url(array(session_name() => Zend_Session::getId()), 'payment')
EDIT: Possible, rather dodgy solution
I actually managed to restore the session by inserting this to _initApplication() in my bootstrap file. It's rather dodgy, so if anyone knows of a better - more ZF'ish - way please advice!
if(isset($_GET[$appConfig->resources->session->name])) {
session_id($_GET[$appConfig->resources->session->name]);
}
EDIT: DOH!
Well.. turns out previous edit is not needed. Just before i added the previous lines to the bootstrap i also changed the url layout.
Changed it from /pay/UPSSESSID/{session-id-here} to /pay?UPSSESSID={session-id-here} - And that was actually the root of the problem :(
Now i have removed the lines from the bootstrap and the sessionId i restored correctly.
My mistake!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
默认情况下,PHPSESSID 不能作为 URL 重写的一部分传递。
?PHPSESSID={session_id}-格式解决了我的问题。PHPSESSID can not - by default - be passed as part of a URL-rewrite.
?PHPSESSID={session_id}-format solved my problem.