PHP每个用户多个并发会话

时间:2022-11-30 16:50:25

I'm working on a web app using PHP on Apache. $_SESSION variables are used quite a bit for the information that must persist across pages.

我正在使用Apache上的PHP开发Web应用程序。 $ _SESSION变量对于必须在页面中保持不变的信息使用得相当多。

We need each user to be able to open multiple concurrent sessions, either as new tabs or new windows, depending on their choice of browser. Right now when a user opens an addition tab or window and goes to the site the existing session is adopted. How can I prevent this so that the user must (or may) log in and start a new session, without it interfering with any existing session(s) they already have open?

我们需要每个用户能够打开多个并发会话,作为新选项卡或新窗口,具体取决于他们选择的浏览器。现在,当用户打开添加选项卡或窗口并转到站点时,将采用现有会话。如何防止这种情况,以便用户必须(或可能)登录并启动新会话,而不会干扰他们已经打开的任何现有会话?

Our temporary workaround is to use multiple browsers (IE and FF) but that's obviously not a very desirable way of doing things.

我们的临时解决方法是使用多个浏览器(IE和FF),但这显然不是一种非常理想的做事方式。

4 个解决方案

#1


8  

The behavior you describe opposes the concept of a browser session. Why would a user want more than one session? Is it a matter of user access controls needing to be enforced? If so, assign users to logical groups and grant permissions to specific groups. Do users need to perform some action on behalf of other users? If so, design the website around that concept instead of trying to create multiple sessions for a single user.

您描述的行为反对浏览器会话的概念。为什么用户想要多个会话?是否需要强制执行用户访问控制?如果是,请将用户分配给逻辑组并向特定组授予权限。用户是否需要代表其他用户执行某些操作?如果是这样,请围绕该概念设计网站,而不是尝试为单个用户创建多个会话。

If you really have to do this, you could do something horrible like pass along a query parameter (very insecure!) between pages to act as a session ID, bypassing the actual $_SESSION altogether and managing your own concept of a session. Again, this is not normal and will only lead to headaches/security issues in the future.

如果你真的必须这样做,你可以做一些可怕的事情,比如在页面之间传递一个查询参数(非常不安全!)作为会话ID,完全绕过实际的$ _SESSION并管理你自己的会话概念。同样,这不正常,将来只会导致头痛/安全问题。

#2


2  

Non-Atomic Concurrent Session Management access can be simulated with the following pseudo coded logic:

可以使用以下伪编码逻辑模拟非原子并发会话管理访问:

function main(){
  $locker = new SessionLocking();
  /** read elements the $_SESSION "cached" copy. **/
  $var1 = $_SESSION['var1'];
  $var2 = $_SESSION['var2'];
  /** Pseudo Atomic Read **/
  $locker->lock(); //session is locked against concurrent access.
  $var3 = $_SESSION['var3'];
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script.
  /** Psuedo Atomic Write **/
  $locker->lock(); //session is locked against concurrent access.
  $_SESSION['var4'] = "Some new value";
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script
}

CLASS SessionLocking {

private static $lockCounter=0;
private static $isLoaded=false;

function __constructor(){
  if (!self::$isLoaded) load();
}

private function load(){
 $this->lock();
 $this->unlock();
}

private function lock(){
  if ($lockCounter<1) try {session_start();} Catch(){}
  $lockCounter++; 
}

private function unlock(){
  if ($lockCount<1) return;
  $lockCounter--;
  if ($lockCounter<1) try {session_write_close();} Catch(){}
}
}

#3


1  

This would be very difficult to do, if at all possible.

如果可能的话,这将是非常困难的。

Sessions should not have to worry about which tab they are in.

会话不应该担心他们所处的标签。

Also, what happens if session 1 in tab 1 opens a new window? Is it a new session?

此外,如果选项卡1中的会话1打开一个新窗口会发生什么?这是新会议吗?

#4


-2  

Here is a way to do that:

这是一种方法:

-First disable session cookies in php.ini with:

- 首先禁用php.ini中的会话cookie:

session.use_cookies = 0

This makes sure that cookies are not used to pass the session id.

这可确保cookie不用于传递会话ID。

-then Make sure you generate all your URLs with the session id included ( you get it through function session_id() e.g.:

- 然后确保生成包含会话ID的所有URL(通过函数session_id()获取它,例如:

print "<a href= \"http://www.example.com/".session_id()."&showlist=1\">show list</a>";

#1


8  

The behavior you describe opposes the concept of a browser session. Why would a user want more than one session? Is it a matter of user access controls needing to be enforced? If so, assign users to logical groups and grant permissions to specific groups. Do users need to perform some action on behalf of other users? If so, design the website around that concept instead of trying to create multiple sessions for a single user.

您描述的行为反对浏览器会话的概念。为什么用户想要多个会话?是否需要强制执行用户访问控制?如果是,请将用户分配给逻辑组并向特定组授予权限。用户是否需要代表其他用户执行某些操作?如果是这样,请围绕该概念设计网站,而不是尝试为单个用户创建多个会话。

If you really have to do this, you could do something horrible like pass along a query parameter (very insecure!) between pages to act as a session ID, bypassing the actual $_SESSION altogether and managing your own concept of a session. Again, this is not normal and will only lead to headaches/security issues in the future.

如果你真的必须这样做,你可以做一些可怕的事情,比如在页面之间传递一个查询参数(非常不安全!)作为会话ID,完全绕过实际的$ _SESSION并管理你自己的会话概念。同样,这不正常,将来只会导致头痛/安全问题。

#2


2  

Non-Atomic Concurrent Session Management access can be simulated with the following pseudo coded logic:

可以使用以下伪编码逻辑模拟非原子并发会话管理访问:

function main(){
  $locker = new SessionLocking();
  /** read elements the $_SESSION "cached" copy. **/
  $var1 = $_SESSION['var1'];
  $var2 = $_SESSION['var2'];
  /** Pseudo Atomic Read **/
  $locker->lock(); //session is locked against concurrent access.
  $var3 = $_SESSION['var3'];
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script.
  /** Psuedo Atomic Write **/
  $locker->lock(); //session is locked against concurrent access.
  $_SESSION['var4'] = "Some new value";
  $locker->unlock(); //session is committed to disk (or other) and can be accessed by another script
}

CLASS SessionLocking {

private static $lockCounter=0;
private static $isLoaded=false;

function __constructor(){
  if (!self::$isLoaded) load();
}

private function load(){
 $this->lock();
 $this->unlock();
}

private function lock(){
  if ($lockCounter<1) try {session_start();} Catch(){}
  $lockCounter++; 
}

private function unlock(){
  if ($lockCount<1) return;
  $lockCounter--;
  if ($lockCounter<1) try {session_write_close();} Catch(){}
}
}

#3


1  

This would be very difficult to do, if at all possible.

如果可能的话,这将是非常困难的。

Sessions should not have to worry about which tab they are in.

会话不应该担心他们所处的标签。

Also, what happens if session 1 in tab 1 opens a new window? Is it a new session?

此外,如果选项卡1中的会话1打开一个新窗口会发生什么?这是新会议吗?

#4


-2  

Here is a way to do that:

这是一种方法:

-First disable session cookies in php.ini with:

- 首先禁用php.ini中的会话cookie:

session.use_cookies = 0

This makes sure that cookies are not used to pass the session id.

这可确保cookie不用于传递会话ID。

-then Make sure you generate all your URLs with the session id included ( you get it through function session_id() e.g.:

- 然后确保生成包含会话ID的所有URL(通过函数session_id()获取它,例如:

print "<a href= \"http://www.example.com/".session_id()."&showlist=1\">show list</a>";