我写了这段代码以安全的方式开始会话
function sessionStart() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = false; // Set to true if using https.
$httponly = true; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
现在我有一个问题,如果我们有这个 session_regenrate_id 那么我们的会话 ID 将在每个页面中执行时发生变化?如果我为会话重新生成 ID,我应该如何为想要登录 1 个月的用户使用 cookie?例如,将 $cookieParams["lifetime"] 增加到 1 个月是否安全?如果没有,我应该如何在 1 个月内实现这一目标?我使用 ssl,然后我认为我的 cookie 是安全的。
更新
我去的另一种方法是将会话存储在数据库中。
<?php
/**
* PDO Session Handler
* @author Daniel15 <dan.cx>
*
* This class is actually static, but since PHP doesn't support static classes, abstract is close
* enough. You do not instantiate the class; you just call the static "init" method.
*/
abstract class PDOSession
{
private static $db;
private static $oldData;
/**
* Initialise the PDO session handler
* @param PDO PDO instance to use for database
*/
public static function init(PDO $db)
{
self::$db = $db;
// Add the session handlers
session_set_save_handler('PDOSession::open', 'PDOSession::close',
'PDOSession::read', 'PDOSession::write',
'PDOSession::destroy', 'PDOSession::garbageCollect');
session_start();
}
/**
* Session open handler
* @param string Path to save session to
* @param string Name of the session
*/
public static function open($save_path, $session_name)
{
// Nothing
return true;
}
/**
* Session close handler
*/
public static function close()
{
// Nothing
return true;
}
/**
* Session load handler. Load the session
* @param string Session ID
*/
public static function read($session_id)
{
// Load the session data from the database
$query = self::$db->prepare('
SELECT data
FROM sessions
WHERE session_id = :session_id');
$query->execute(array(':session_id' => $session_id));
return $query->fetchColumn();
}
/**
* Session save handler. Save the session
* @param string Session ID
* @param string Data to save to session
*/
public static function write($session_id, $data)
{
/* Try to update the existing session. If we can't find one, then create a new one. If you
* are using MySQL, this can be done in a single INSERT statment via INSERT ... ON
* DUPLICATE KEY UPDATE. Remove the UPDATE and edit the INSERT to do it this way.
* See http://dev.mysql.com/doc/refman/5.0/en/insert-on-duplicate.html
*
* This does two queries so you can use any DBMS.
*/
$query = self::$db->prepare('
UPDATE sessions
SET data = :data, last_activity = :last_activity
WHERE session_id = :session_id');
$query->execute(array(
':session_id' => $session_id,
':data' => $data,
'last_activity' => time()));
// No session to update? Create a new one
if ($query->rowCount() == 0)
{
self::$db
->prepare('
INSERT INTO sessions
(session_id, data, last_activity)
VALUES
(:session_id, :data, :last_activity)')
->execute(array(
':session_id' => $session_id,
':data' => $data,
'last_activity' => time())
);
}
}
/**
* Session delete handler. Delete the session from the database
* @param string Session ID
*/
public static function destroy($session_id)
{
self::$db
->prepare('
DELETE FROM sessions
WHERE session_id = :session_id')
->execute(array(':session_id' => $session_id));
}
/**
* Session garbage collector. Delete any old expired sessions
* @param int How many seconds do sessions last for?
*/
public static function garbageCollect($lifetime)
{
self::$db
->prepare('
DELETE FROM sessions
WHERE last_activity < :min_time')
->execute(array(':min_time' => time() - $lifetime));
}
}
?>
现在为此我应该如何在这种情况下创建cookie?