PHP 每个用户多个并发会话

发布于 2024-11-08 21:52:08 字数 258 浏览 4 评论 0原文

我正在 Apache 上使用 PHP 开发一个 Web 应用程序。 $_SESSION 变量经常用于必须跨页面保存的信息。

我们需要每个用户能够打开多个并发会话,无论是作为新选项卡还是新窗口,具体取决于他们选择的浏览器。现在,当用户打开附加选项卡或窗口并访问该站点时,将采用现有会话。如何防止这种情况发生,以便用户必须(或可以)登录并启动新会话,而不干扰他们已经打开的任何现有会话?

我们的临时解决方法是使用多个浏览器(IE 和 FF),但这显然不是一个非常理想的方法。

I'm working on a web app using PHP on Apache. $_SESSION variables are used quite a bit for the information that must persist across pages.

We need each user to be able to open multiple concurrent sessions, either as new tabs or new windows, depending on their choice of browser. Right now when a user opens an addition tab or window and goes to the site the existing session is adopted. How can I prevent this so that the user must (or may) log in and start a new session, without it interfering with any existing session(s) they already have open?

Our temporary workaround is to use multiple browsers (IE and FF) but that's obviously not a very desirable way of doing things.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

感性不性感 2024-11-15 21:52:08

您描述的行为与浏览器会话的概念相反。为什么用户需要多个会话?是否需要强制实施用户访问控制?如果是这样,请将用户分配到逻辑组并向特定组授予权限。用户是否需要代表其他用户执行某些操作?如果是这样,请围绕该概念设计网站,而不是尝试为单个用户创建多个会话。

如果你真的必须这样做,你可以做一些可怕的事情,比如在页面之间传递查询参数(非常不安全!)作为会话 ID,完全绕过实际的 $_SESSION 并管理你自己的会话的概念。再次强调,这是不正常的,只会在未来带来麻烦/安全问题。

The behavior you describe opposes the concept of a browser session. Why would a user want more than one session? Is it a matter of user access controls needing to be enforced? If so, assign users to logical groups and grant permissions to specific groups. Do users need to perform some action on behalf of other users? If so, design the website around that concept instead of trying to create multiple sessions for a single user.

If you really have to do this, you could do something horrible like pass along a query parameter (very insecure!) between pages to act as a session ID, bypassing the actual $_SESSION altogether and managing your own concept of a session. Again, this is not normal and will only lead to headaches/security issues in the future.

独行侠 2024-11-15 21:52:08

可以使用以下伪编码逻辑来模拟非原子并发会话管理访问:

function main(){
  $locker = new SessionLocking();
  /** read elements the $_SESSION "cached" copy. **/
  $var1 = $_SESSION['var1'];
  $var2 = $_SESSION['var2'];
  /** Pseudo Atomic Read **/
  $locker->lock(); //session is locked against concurrent access.
  $var3 = $_SESSION['var3'];
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script.
  /** Psuedo Atomic Write **/
  $locker->lock(); //session is locked against concurrent access.
  $_SESSION['var4'] = "Some new value";
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script
}

CLASS SessionLocking {

private static $lockCounter=0;
private static $isLoaded=false;

function __constructor(){
  if (!self::$isLoaded) load();
}

private function load(){
 $this->lock();
 $this->unlock();
}

private function lock(){
  if ($lockCounter<1) try {session_start();} Catch(){}
  $lockCounter++; 
}

private function unlock(){
  if ($lockCount<1) return;
  $lockCounter--;
  if ($lockCounter<1) try {session_write_close();} Catch(){}
}
}

Non-Atomic Concurrent Session Management access can be simulated with the following pseudo coded logic:

function main(){
  $locker = new SessionLocking();
  /** read elements the $_SESSION "cached" copy. **/
  $var1 = $_SESSION['var1'];
  $var2 = $_SESSION['var2'];
  /** Pseudo Atomic Read **/
  $locker->lock(); //session is locked against concurrent access.
  $var3 = $_SESSION['var3'];
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script.
  /** Psuedo Atomic Write **/
  $locker->lock(); //session is locked against concurrent access.
  $_SESSION['var4'] = "Some new value";
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script
}

CLASS SessionLocking {

private static $lockCounter=0;
private static $isLoaded=false;

function __constructor(){
  if (!self::$isLoaded) load();
}

private function load(){
 $this->lock();
 $this->unlock();
}

private function lock(){
  if ($lockCounter<1) try {session_start();} Catch(){}
  $lockCounter++; 
}

private function unlock(){
  if ($lockCount<1) return;
  $lockCounter--;
  if ($lockCounter<1) try {session_write_close();} Catch(){}
}
}
白衬杉格子梦 2024-11-15 21:52:08

如果可能的话,这将是非常困难的。

会话不必担心它们位于哪个选项卡中。

此外,如果选项卡 1 中的会话 1 打开一个新窗口,会发生什么情况?这是新的会话吗?

This would be very difficult to do, if at all possible.

Sessions should not have to worry about which tab they are in.

Also, what happens if session 1 in tab 1 opens a new window? Is it a new session?

还如梦归 2024-11-15 21:52:08

知道这是一个很晚的答案......

作为一名开发人员,我通常需要同时测试不同用户类型(管理员、注册、访问者等)的界面。 Firefox 浏览器有一个“多帐户容器”附加组件,除其他外,它可以通过容器分隔 cookie。可以创建所需数量的容器,并在每个容器内打开选项卡。每组包含的选项卡共享 cookie,但不跨容器共享。浏览器将使用不同的独立“PHPSESSID”(或者您命名的 cookie),从而能够处理多个同时会话。

还有其他扩展和注意事项,例如特殊书签等,但它们超出了此处问题的范围。

Knowing it's a very late answer ...

As a developer, I usually need to simultaneously test the interface of different user types (Administrator, Registered, Visitor, etc.). Firefox browser has a "Multi-Account Containers" add-on that, among other things, keeps cookies separated by container. As many containers as required may be created and tabs opened inside each one of them. Each set of contained tabs share cookies but not across containers. The browser will be working with different independent "PHPSESSID" (or however you named the cookie), thus being able to handle multiple simultaneous sessions.

There are other extensions and considerations, such as special bookmarks, etc. but they are beyond the scope of the question here.

半衬遮猫 2024-11-15 21:52:08

这是一种方法:

- 首先在 php.ini 中禁用会话 cookie:

session.use_cookies = 0

这可确保不使用 cookie 来传递会话 id。

-then 确保生成的所有 URL 中都包含会话 ID(通过函数 session_id() 获取它,例如:

print "<a href= \"http://www.example.com/".session_id()."&showlist=1\">show list</a>";

Here is a way to do that:

-First disable session cookies in php.ini with:

session.use_cookies = 0

This makes sure that cookies are not used to pass the session id.

-then Make sure you generate all your URLs with the session id included ( you get it through function session_id() e.g.:

print "<a href= \"http://www.example.com/".session_id()."&showlist=1\">show list</a>";
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文