个人中心
gpt4 book ai didi

php - session_regenerate_id 导致返回两个 PHPSESSID cookie

转载 作者:搜寻专家 更新时间:2023-10-31 20:57:12 24 4
gpt4 key购买 nike

我开发了一个 API,最初只能通过浏览器使用,但从未发现问题,但我现在正尝试通过第三方 Android 库 (OkHttpClient) 连接到它,并且我已经测试了我所看到的使用 REST API 测试客户端 (Insomnia.rest)。

我遇到的问题是,当我执行 API 的登录操作时,我启动了一个 session 并调用了 session_regenerate_id(true);以避免粘性 session 攻击(我不确定这是否是正确的名称)。

但是,当我这样做时,我会返回两个 PHPSESSID cookie,如下面的 header 所示:

< HTTP/1.1 200 OK
< Date: Thu, 18 Apr 2019 22:51:43 GMT
< Server: Apache/2.4.27 (Win64) PHP/7.1.9
< X-Powered-By: PHP/7.1.9
* cookie size: name/val 8 + 6 bytes
* cookie size: name/val 4 + 1 bytes
< Set-Cookie: ClientID=413059; path=/
* cookie size: name/val 9 + 26 bytes
* cookie size: name/val 4 + 1 bytes
< Set-Cookie: PHPSESSID=15u9j1p2oinfl5a8slh518ee9r; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
* cookie size: name/val 9 + 26 bytes
* cookie size: name/val 4 + 1 bytes
* Replaced cookie PHPSESSID="hkkffpj8ta9onsn92pp70r257v" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=hkkffpj8ta9onsn92pp70r257v; path=/
* cookie size: name/val 17 + 1 bytes
* cookie size: name/val 4 + 1 bytes
< Set-Cookie: UsingGoogleSignIn=0; path=/
* cookie size: name/val 6 + 1 bytes
* cookie size: name/val 4 + 1 bytes
< Set-Cookie: UserID=7; path=/
< Access-Control-Allow-Credentials: true
< Content-Length: 47
< Content-Type: application/json

从上面的输出中可以看出,有两个带有 PHPSESSID 的 Set-Cookie。如果我删除 session_regenerate_id,那么我只会得到一个 PHPSESSID cookie,然后 Android 客户端就会成功运行。

我已经在 Windows 10 上的 Wamp 下的 Apache 和 CentOS 7 构建的生产中的 Apache 上展示了这个。

所以问题是,如何在不发回两个不同的 PHPSESSID cookie 的情况下生成新的 PHP session ID?

更新

下面是一些与登录过程相关的代码。我不能包含所有代码,但它应该显示正在发生的事情的概念。

向登录函数发出API请求

$email = mysqli_escape_string($this->getDBConn(), $encryption->encrypt($postArray["email"]));
        $password = mysqli_escape_string($this->getDBConn(), $encryption->encrypt($postArray["password"]));
        $externalDevice = isset($postArray["external_device"]) ? abs($postArray["external_device"]) : 0;

        $query = "SELECT * FROM users WHERE Email='$email'";
        $result = $this->getDBConn()->query($query);
        if ($result)
        {
            if (mysqli_num_rows($result) > 0 )
            {
                $myrow = $result->fetch_array();
                if ($myrow["UsingGoogleSignIn"] === '1')
                {
                    //We're trying to login as a normal user, but the account was registered using Google Sign In
                    //so tell the user to login via google instead
                    return new APIResponse(API_RESULT::SUCCESS, "AccountSigninViaGoogle");
                }
                else
                {
                    //Check the password matches
                    if ($myrow["Password"] === $password)
                    {
                        $this->getLogger()->writeToLog("Organisation ID: " . $myrow["Organisation"]);
                        $organisationDetails = $this->getOrganisationDetails(abs($myrow["Organisation"]), false);
                        $this->getLogger()->writeToLog(print_r($organisationDetails, true));

                        $this->createLoginSession($myrow, $organisationDetails, false, $paymentRequired, $passwordChangeRequired);
                        $data = null;
                        if ($externalDevice === 1)
                        {
                            $data = new stdClass();
                            $data->AuthToken = $_SESSION["AuthToken"];
                            $data->ClientID = $_SESSION["ClientID"];
                            $data->UserID = abs($_SESSION["UserID"]);
                        }

                        $this->getLogger()->writeToLog("Login Response Headers");
                        $headers = apache_response_headers();
                        $this->getLogger()->writeToLog(print_r($headers, true));

此时会返回一个包含 JSON 对象的 API 响应

在上面的代码中,如果电子邮件和密码匹配(此处未使用 Google 登录),它会调用如下的 createLoginSession:

private function createLoginSession($myrow, $organisationDetails, $usingGoogleSignIn, &$paymentRequired, &$passwordChangeRequired)
    {
        require_once 'CommonTasks.php';
        require_once 'IPLookup.php';
        require_once 'Encryption.php';
        try
        {
            $this->getLogger()->writeToLog("Creating login session");
            $paymentRequired = false;
            if ($organisationDetails === null)
            {
                $organisationDetails = $this->getOrganisationDetails($myrow["Organisation"]);
            }
            $encryption = new Encryption();
            $userID = mysqli_escape_string($this->getDBConn(), $myrow["UserID"]);
            $organisationID = intval(abs($myrow["Organisation"]));

            $commonTasks = new CommonTasks();
            $browserDetails = $commonTasks->getBrowserName();
            $this->getLogger()->writeToLog("Browser Details");
            $this->getLogger()->writeToLog(print_r($browserDetails, true));
            $clientName = $browserDetails["name"];

            $iplookup = new IPLookup(null, $this->getLogger());
            $ipDetails = json_decode($iplookup->getAllIPDetails($commonTasks->getIP()));

            if ($ipDetails !== null)
            {
                $ip = $ipDetails->ip;
                $country = $ipDetails->country_name;
                $city = $ipDetails->city;
            }
            else
            {
                $ip = "";
                $country = "";
                $city = "";
            }

            //Create a random client ID and store this as a cookie
            if (isset($_COOKIE["ClientID"]))
            {
                $clientID = $_COOKIE["ClientID"];
            }
            else
            {
                $clientID = $commonTasks->generateRandomString(6, "0123456789");
                setcookie("ClientID", $clientID, 0, "/");
            }

            //Create an auth token
            $authToken = $commonTasks->generateRandomString(25);
            $encryptedAuthToken = $encryption->encrypt($authToken);

            $query = "REPLACE INTO client (ClientID, UserID, AuthToken, ClientName, Country, City, IPAddress) " .
                "VALUES ('$clientID', '$userID', '$encryptedAuthToken', '$clientName', '$country', '$city', '$ip')";
            $result = $this->getDBConn()->query($query);
            if ($result)
            {

                session_start();
                $this->getLogger()->writeToLog("Logging in and regnerating session id");
                session_regenerate_id(true);

                $_SESSION["AuthToken"] = $authToken;
                $_SESSION["ClientID"] = $clientID;
                $_SESSION["UserID"] = $userID;
                $_SESSION["FirstName"] = $this->getEncryption()->decrypt($myrow["FirstName"]);
                $_SESSION["LastName"] = $this->getEncryption()->decrypt($myrow["LastName"]);

                $passwordChangeRequired = $myrow["PasswordChangeRequired"] === "1" ? true : false;
                //Check if the last payment failure reason is set, if so, set a cookie with the message but only
                //if the organisation is not on the free plan
                //Logger::log("Current Plan: " . $this->getOrganisationDetails(->getPlan()));
                if ($organisationDetails->getPlan() !== "Free")
                {
                    if (!empty($organisationDetails->getLastPaymentFailureReason()))
                    {
                        $this->getLogger()->writeToLog("Detected last payment as a failure. Setting cookies for organisation id: " . $organisationDetails->getId());
                        setcookie("HavePaymentFailure", true, 0, "/");
                        setcookie("PaymentFailureReason", $organisationDetails->getLastPaymentFailureReason(), 0, "/");

                    }
                    //Check if the current SubscriptionPeriodEnd is in the past
                    $subscriptionPeriodEnd = $organisationDetails->getSubscriptionOfPeriod();
                    $currentTime = DateTimeManager::getEpochFromCurrentTime();
                    if ($currentTime > $subscriptionPeriodEnd)
                    {
                        $this->getLogger()->writeToLog("Detected payment overdue for organisation: " . $organisationDetails->getId());
                        //The payment was overdue, determine the number of days grace period (there's a 7 day grace period) that's left
                        $subscriptionPeriodEndGracePeriod = $subscriptionPeriodEnd + (86400 * 7);
                        $numberOfDaysRemaining = floor((($subscriptionPeriodEndGracePeriod - $currentTime) / 86400));

                        setcookie("PaymentOverdue", true, 0, "/");
                        setcookie("DaysGraceRemaining", $numberOfDaysRemaining, 0, "/");
                        if ($numberOfDaysRemaining <= 0)
                        {
                            $paymentRequired = true;
                        }
                    }
                }
                setcookie("UsingGoogleSignIn", $usingGoogleSignIn ? "1" : "0", 0, "/");
                if ($organisationDetails->getId() !== 0)
                {

                    $_SESSION["OrganisationDetails"] = array();
                    $_SESSION["OrganisationDetails"]["id"] = $organisationDetails->getId();
                    $_SESSION["OrganisationDetails"]["Name"] = $organisationDetails->getName();

                }
                setcookie("UserID", $userID, 0, "/");
                $this->getLogger()->writeToLog("Successfully created login session. User ID '$userID' and Organisation ID '$organisationID'");
                return true;
            }
            else
            {
                $error = mysqli_error($this->getDBConn());
                $this->getLogger()->writeToLog("Failed to create login session. DB Error: $error");
                $this->getAlarms()->setAlarm(AlarmLevel::CRITICAL, "AccountManagement", "Failed to create login session. DB Error");
                throw new DBException($error);
            }
        }
        catch (DBException $ex)
        {
            throw $ex;
        }
    }

在上面的函数中,我调用了 session_start() 然后调用了 regenerate_session_id() 然后我在响应中得到了两个 PHPSESSID cookie,尽管日志行只输出一次所以它肯定不会被多次调用。

如果我删除 regenerate_session_id 那么问题就消失了。为了安全起见,我已经尝试交换 session_start(),所以它出现在 regenerate_session_id 之后,但看起来 session ID 没有按预期重新创建。

更新 2

根据@waterloomatt 的评论,我创建了一个仅包含以下内容的 PHP 脚本:

<?php
session_start();
session_regenerate_id(true);
phpinfo();

而phpinfo输出的HTTP头信息如下

**HTTP Request Headers**
GET /api/session_test.php HTTP/1.1
Host    localhost
Connection  keep-alive Upgrade-Insecure-Requests    1
User-Agent  Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Accept  text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding gzip, deflate, br
Accept-Language en-GB,en-US;q=0.9,en;q=0.8
Cookie  _ga=GA1.1.1568991346.1553017442

**HTTP Response Headers**
X-Powered-By    PHP/7.2.10
Set-Cookie  PHPSESSID=i19irid70cqbvpkrh0ufffi0jk; path=/
Expires Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control   no-store, no-cache,> must-revalidate Pragma no-cache
Set-Cookie  PHPSESSID=48qvia5e6bpmmk251qfrqs8urd; path=/

最佳答案

这个 header 实际上会删除 cookie。这是删除 HTTP-only cookie 的唯一方法:使其过期回溯。

Set-Cookie: PHPSESSID=15u9j1p2oinfl5a8slh518ee9r; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT

关于php - session_regenerate_id 导致返回两个 PHPSESSID cookie,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55754652/

24 4 0
文章推荐: php - Composer 在自定义路径中安装包或模块?
文章推荐: php - Symfony 表单数据未格式化为驼峰式
文章推荐: php - 如何在 Codeigniter 中创建动态站点地图
文章推荐: php - 我应该使用什么正则表达式来查找不包含指定字符串的文件名?
搜寻专家
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com