1、跨子域和跨服務器解決方式
Session主要分兩部分:
一個是Session數據,該數據默認情況下是存放在服務器的tmp文件下的,是以文件形式存在
另一個是標誌着Session數據的Session Id,Session ID,就是那個 Session 文件的文件名,Session ID 是隨機生成的,因此能保證唯一性和隨機性,確保 Session 的安全。一般如果沒有設置 Session 的生存週期,則 Session ID 存儲在內存中,關閉瀏覽器後該 ID 自動註銷,重新請求該頁面後,重新註冊一個 session ID。如果客戶端沒有禁用 Cookie,則 Cookie 在啓動 Session 會話的時候扮演的是存儲 Session ID 和
Session 生存期的角色。
兩個不同的域名網站,想用同一個Session,就是牽扯到Session跨域問題!
默認情況下,各個服務器會各自分別對同一個客戶端產生 SESSIONID,如對於同一個用戶瀏覽器,A 服務器產生的 SESSION ID 是 11111111111,而B 服務器生成的則是222222。另外,PHP 的 SESSION數據都是分別保存在本服務器的文件系統中。想要共享 SESSION 數據,那就必須實現兩個目標:
一個是各個服務器對同一個客戶端產生的SESSION ID 必須相同,並且可通過同一個 COOKIE 進行傳遞,也就是說各個服務器必須可以讀取同一個名爲 PHPSESSID 的COOKIE;另一個是 SESSION 數據的存儲方式/位置必須保證各個服務器都能夠訪問到。這兩個目標簡單地說就是多服務器(A、B服務器)共享客戶端的 SESSION ID,同時還必須共享服務器端的 SESSION 數據。
第一個目標的實現其實很簡單,只需要對 COOKIE 的域(domain)進行特殊地設置即可(setcookie()函數中的第4個參數),默認情況下,COOKIE 的域是當前服務器的域名/IP 地址,而域不同的話,各個服務器所設置的 COOKIE 是不能相互訪問的,
1)跨子域
採用這種方式,跨域不行,但同一子域可以,如:aaa.cocoglp.com 和www.cocoglp.com 都屬於域 .cocoglp.com是可以的,那麼我們就可以設置 COOKIE 的域爲 .cocoglp.com,這樣 aaa.cocoglp.com、www.cocoglp.com等等都可以訪問此COOKIE。這樣各個服務器共享同一客戶端 SESSION ID 的目的就達到了。
實現如下
-------------------------------------------------------------------------------------------------
這裏有三種方式可以實現:
1.只要在php頁面的最開始(要在任何輸出之前,並且在session_start()之前)的地方進行以下設置
ini_set('session.cookie_path', '/');
ini_set('session.cookie_domain', '.mydomain.com');
ini_set('session.cookie_lifetime', '1800');
2.在php.ini裏設置
session.cookie_path = /
session.cookie_domain = .mydomain.com
session.cookie_lifetime = 1800
3.在php頁面最開始的地方(條件同1)調用函數
session_set_cookie_params(1800 , '/', '.mydomain.com');
這三種方式都是同樣的效果。
這裏我用第一種方法設置,分別在www.mydomain.com和sub.mydomain.com兩個域名來測試,測試代碼如下
sub1.php
<?php
//先訪問的頁面做設置
ini_set('session.cookie_path', '/');
ini_set('session.cookie_domain', '.mydomain.com');
ini_set('session.cookie_lifetime', '1800');
//
session_set_cookie_params(1800 , '/', '.mydomain.com');
session_start();
$_SESSION['sub1'] = 'sub1';
print_r($_SESSION);
?>
sub2.php
<?php
session_set_cookie_params(1800 , '/', '.mydomain.com');
session_start();
$_SESSION['sub2'] = 'sub2';
print_r($_SESSION);
?>
訪問順序:
(1)www.mydomain.com/sub1.php
頁面輸出:Array ( [sub1] => sub1 )
(2)sub.mydomain.com/sub2.php
頁面輸出:Array ( [sub1] => sub1 [sub2] => sub2 )
成功
----------------------------------------------------------------------------------------------------
第二個目標的實現可以使用數據庫來保存SESSION 數據,這樣各個服務器就可以方便地訪問同一個數據源,獲取相同的SESSION 數據了;或者是通過文件共享方式,如 NFS 方式(我的其他文章有如何配置nfs)
如果用數據庫存儲session數據的話,可能會有遺留問題,就是如果網站的訪問量很大的話,SESSION 的讀寫會頻繁地對數據庫進行操作,可以把這個放在memcache中。存放在數據庫裏的前面有文章實現了。把數據庫和memcache結合的思路,前面有了。如果單獨用memcache存放session不太好,最好和數據庫結合操作。
2)跨域解決
思路:用iframe解決,但是ff不支持,所以需要前面加上p3p協議。
首先想到就是通過JS操作Cookie並讓兩個不同域的cookie能夠相互訪問,這樣就可達到了上述的效果,具體實現過程大致可分以下兩個步驟:
1、在A系統下成功登錄後,利用JS動態創建一個隱藏的iframe,通過iframe的src屬性將A域下的cookie值作爲get參數重定向到B系統下b.jsp頁面上;
- var _frm = document.createElement("iframe");
- _frm.style.display="none";
- _frm.src = "http://www.222.com/setcookie.php?mycookie=xxxxx";//此處xxx最好編碼
- document.body.appendChild(_frm);
2、在B系統的setcookie.php頁面中來獲取A系統中所傳過來的cookie值,並將所獲取到值寫入用戶的cookie中,當然域是自己的了,這樣就簡單的實現了cookie跨域的訪問; 不過這其中有個問題需要注意,就是在IE瀏覽器下這樣操作不能成功,需要在setocokie.php頁面中設置P3P HTTP Header就可以解決了(具體詳細信息可以參考:http://www.w3.org/P3P/),P3P設置代碼爲:
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
Validate at: http://www.w3.org/P3P/validator.html
Learn more at: http://www.fiddlertool.com/redir/?id=p3pinfo