session_regenerate_id(true) 对 ajax 请求或快速刷新的无效会话
为了避免会话固定,我在每个 PHP 页面的开头使用此代码:
To avoid session fixation i use this code at the beginning of every PHP page:
session_set_cookie_params( 900, '/', $domain, 1, 1 );
session_start();
session_regenerate_id( true );
但是如果页面刷新过快或者有多个ajax请求,session id就会失效.
But if the page is refreshed too fast or in case of multiple ajax requests, the session id becomes invalid.
有没有办法在没有这个问题的情况下避免会话固定?
There is a way to avoid session fixation without this problem?
使用 http_only cookie 标志,这将防止通过 xss 攻击劫持您的会话 ID.几乎所有现代浏览器都支持它.对于较旧的浏览器,请确保您的代码中没有 xss 漏洞.如果可能,还可以使用安全标志,以在网络层对其进行保护.
Use http_only cookie flag, which will prevent the hijacking of your session id through xss attacks. It is supported in almost all modern browsers. For older browsers make sure you don't have xss vulnerability in your code. Also use the secure flag, if possible to secure it on network layer.
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )
您也可以按时间或计数重新生成.希望能帮到你!
You can also regenerate on time basis or count basis. Hope it helps!