7

We have a Magento application which is issuing dual Set-Cookie's . Here are the headers:

  HTTP/1.1 200 OK
  Date: Wed, 18 Apr 2012 21:04:28 GMT
  Server: Apache/2.2.3 (CentOS)
  X-Powered-By: PHP/5.2.10
  Set-Cookie: frontend=iti6c00cdm6cc79hfl1pl9pq52; expires=Wed, 18-Apr-2012 22:04:28 GMT; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Set-Cookie: frontend=iti6c00cdm6cc79hfl1pl9pq52; expires=Wed, 18-Apr-2012 22:04:28 GMT; path=/; domain=**example.com**
  Connection: close
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=UTF-8

In some circumstances, after logging in the second cookie is set to frontend=deleted . From my reading it appears that two frontend= cookies are not a "problem", this is standard Magento behaviour. From my reading of the spec, the second frontend= cookie will overwrite the first if their scope/spec is the same.

Any ideas where we can start digging in to this problem to see why the second frontend= cookie does not behave like the first?

Magento version is enterprise edition of ver. 1.9.0.0

Related Questions

4

2 回答 2

4

当会话验证检查失败时会发生这种情况 - 然后将使用“已删除”值和过去的到期日期清除 cookie:

Magento 将检查以下信息以验证会话:

  • 连接到服务器的客户端 IP 地址
  • “通过”HTTP 标头
  • “X-Forwarded-For”标头
  • “用户代理”标头

如果这些信息中的一个(或多个)在对同一会话 ID 的请求期间发生更改,则会话将被丢弃,Cookie 将以所述方式清除,服务器将向主页发送重定向标头。

您可以通过转到系统 > 配置 > Web 来更改要在 Magento 管理面板中验证的信息。但是您永远不应该关闭所有检查,因为这将允许会话劫持。

于 2014-12-12T13:58:22.677 回答
0

你想覆盖fronten cookie吗...如果是这样最好尝试首先销毁cookie然后使用Magento方法重置它

Mage::getModel('core/cookie')->set('frontend', $session->getCustomer()->getId(), 100000*24*3600);

于 2012-04-25T13:03:04.343 回答