2

i have a page that shows a value from session, lets call it www.domain-a.com/master.php and if i type it directly from the browser, it shows me the session value.

but when i try to download it with file_get_contents (or other method) from another domain, like www.domain-b.com/slave.php, it is not retrieving the content protected by the session, just a blank page.

i know it is because the server-b is trying to retrieve the content, not the user...

anyone knows how to tell the domain-a that who is retrieving the information is the user? there is a way to retrieve the session value?

regards,

josé

4

6 回答 6

18

有一个有用的解决方案。

将 PHPSESSID 发送到另一台服务器没有意义,因为会话数据存储在服务器上的文件中,这就是 file_get_contents 阻止 http 服务的原因。很简单。客户端使用 http 连接到服务器,服务器当然会打开带有会话数据的文件以进行写入。file_get_contents 创建连接到同一服务器的另一个连接(另一个线程)。如果设置了会话 ID,则服务器会打开包含会话数据的相同文件,但该文件已打开。

所以这是一个很好的解决方案,可以防止这种碰撞:

$opts = array( 'http'=>array( 'method'=>"GET",
              'header'=>"Accept-language: en\r\n" .
               "Cookie: ".session_name()."=".session_id()."\r\n" ) );

$context = stream_context_create($opts);
session_write_close();   // this is the key
$obsah = file_get_contents( 'http://blablabla.cz', false, $context);

它工作正常。对对对

于 2013-06-04T16:04:59.293 回答
5

您可能需要将用户的会话 ID 与请求一起发送到 cookie 中。

如果要使用该file_get_contents功能,则必须创建一个上下文来设置 cookie:

$opts = array(
    'http' => array(
        'method' => 'GET',
        'header' => 'Cookie: PHPSESSID=0123456789abcdef0123456789abcdef'
    )
);
$context = stream_context_create($opts);
echo file_get_contents('http://master.example.com/master.php', 0, $context);
于 2009-04-19T21:58:53.707 回答
0

if you have control over the www.domain-a.com/master.php

then you can have it programmed in a way that you could send it the username in encrypted fashion and like master.php?user=zxcvert2324 or whatever and it would decrypt and know who is sending the request.

Otherwise you would need to look into CURL and have the session created by first having curl login to that site and then on the next request goto that master.php page.

于 2009-09-29T19:28:31.850 回答
0

请记住,如果您的会话代码针对客户端 IP 地址进行验证,那么您可能仍然会遇到问题,因为发布到您的页面的客户端 IP 将是请求服务器(使用 curl 或 file_get_contents)而不是客户端浏览器的 IP。

于 2009-04-21T16:29:19.707 回答
-1

Your PHP configurations are probably prohibiting you to retrieve files over HTTP.

Possible culprits:

于 2009-04-19T21:23:22.730 回答
-1

You should be able to retrieve the content with curl. See this answer (you can probably drop the browser spoof option).

于 2009-04-19T21:36:55.897 回答