问题描述
我有一个登录屏幕,我强制将其设为 ssl,如下所示:https://www.foobar.com/login然后在他们登录后,他们被移动到主页:https://www.foobar.com/dashbaord
I have a login screen that I force to be ssl, so like this: https://www.foobar.com/login then after they login, they get moved to the homepage: https://www.foobar.com/dashbaord
但是,我想在登录后将人们从 SSL 中移除(以节省 CPU),因此在检查他们实际上已登录 https://www.foobar.com/dashbaord 我把它们移到http://www.foobar.com/dashbaord
However, I want to move people off of SSL once logged in (to save CPU), so just after checking that they are in fact logged in on https://www.foobar.com/dashbaord I move them to http://www.foobar.com/dashbaord
这似乎总是会清除会话变量,因为当页面再次运行时,它确认它们已登录(就像所有页面一样)并且会话似乎不存在,因此它将它们移动到登录屏幕.
Well this always seems to wipe out the session variables, because when the page runs again, it confirms they are logged in (as all pages do) and session appears not to exist, so it moves them to the login screen.
奇怪/发现:
- 列表项
- 第二次登录总是有效,并且很高兴让我访问 http://www.foobar.com/dashbaord一个>
- 第一次登录成功创建了一个cookie
- 如果我登录两次,然后注销,然后再次登录,我不需要两次登录(我似乎已经将其追溯到 cookie 存在的事实).如果我删除 cookie,我将返回两次登录.
- 第二次登录后,我可以从非 ssl 从 ssl 移动,会话仍然存在.
- 在第一次登录时,移动到非 ssl 站点会完全清除会话,手动返回 ssl 站点仍然迫使我再次登录.
- 第二次登录使用与第一次完全相同的机制,通过 ssl
我尝试了什么:
- 使用 Cake 的 security.level 和 session.checkagent 设置 - 什么都没有
- 让 cake 将会话存储在 db(而不是文件系统)中 - 什么都没有
- 在 XP 机器上测试 FF、IE、Chrome.
所以我觉得这与正在创建但未被读取的cookie有关.
So I feel like this is something related to the cookie being created but not being read.
环境:1. Debian2. 阿帕奇 23. mysql 44. PHP 55. CakePHP6.会话被PHP默认保存为文件
Environment: 1. Debian 2. Apache 2 3. Mysql 4 4. PHP 5 5. CakePHP 6. Sessions are being saved PHP default, as files
推荐答案
我想通了.Cake 在 SSL 连接下自动切换 session.cookie_secure ini 值,因此创建的 cookie 是安全 cookie,第二个页面无法识别.
I figured this out. Cake was switching the session.cookie_secure ini value on-the-fly while under SSL connections automatically, So the cookie being created was a secure cookie, which the second page wouldn't recognize.
解决办法,注释掉/cake/lib/session.php第420行ish:
Solution, comment out /cake/lib/session.php line 420 ish:
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_secure', 1);
(只需搜索即可找到它,因为我确定 # 行会随着版本的发布而更改.)
(Just search for that to find it, as I'm sure the line # will change as releases come out.)
这篇关于从 ssl 移动到非 ssl 时会话未保存的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!