日期:2012-05-01 浏览次数:20593 次
大家都知道SESSION是不可以跨域的,也就是说: A.WEMVC.COM这个域的可执行文件不可以访问到B.WEMVC.COM的SESSION,这个是SESSION的特性,同样也是出于安全角度才这样的.
在一般情况下,一个网站只有一个域名,但是也有些网站架构是由多个子域名组建的.所以就需要SESSION可以跨子域被访问到,这样才可以实现用户的跨域登录.就是说客户在A下登录的,同样B也同时登录了,不需要用户再次登录,同时也实现了参数的跨域传递.当然不可跨域的SESSION本身已经可以帮助我们做很多事情了,那么跨域后的SESSION呢.读到这里是否很激动人心,当然你也可能是正在为SESSION跨域而发愁而找到这篇文章的,同样也祝贺你.我们长话断说了,开始我们今天的课程:COOKIE与SESSION联用实现SESSION跨域.
首先让我们再重新温习下PHP中的COOKIE和SESSION:
COOKIE:
定义:
cookie 常用于识别用户。cookie 是服务器留在用户计算机中的小文件。每当相同的计算机通过浏览器请求页面时,它同时会发送 cookie。通过 PHP,您能够创建并取回 cookie 的值。PS:其中文名叫”曲奇”.
在PHP中用setCookie函数来设置COOKIE,该函数一共有7个参数(在此我要向曾经我面试过的一位同仁道歉,当时我把答案说成了6个,SORRY~,同时我也提醒广大作家尽快更新自己的文章,在PHP5.2.0版本中已经增加为7个参数.),这7个参数分别为 string $name [, string $value [, int $expire [, string $path [, string $domain [, bool $secure [, bool $httponly ]]]]]] .
name The name of the cookie. 规定 cookie 的名称。
value The value of the cookie. This value is stored on the clients computer; do not store sensitive information. Assuming the name is ‘cookiename’, this value is retrieved through $_COOKIE['cookiename'] 规定 cookie 的值。
expire The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. In other words, you’ll most likely set this with the time() function plus the number of seconds before you want it to expire. Or you might use mktime(). time()+60*60*24*30 will set the cookie to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).规定 cookie 的有效期。
Note: You may notice the expire parameter takes on a Unix timestamp, as opposed to the date format Wdy, DD-Mon-YYYY HH:MM:SS GMT, this is because PHP does this conversion internally.
expire is compared to the client’s time which can differ from server’s time.
path The path on the server in which the cookie will be available on. If set to ‘/’, the cookie will be available within the entire domain . If set to ‘/foo/’, the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain . The default value is the current directory that the cookie is being set in.规定 cookie 的服务器路径。
domain The domain that the cookie is available. To make the cookie available on all subdomains of example.com then you’d set it to ‘.example.com’. The . is not required but makes it compatible with more browsers. Setting it to www.example.com will make the cookie only available in the www subdomain. Refer to tail matching in the » spec for details.规定 cookie 的域名。
secure Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists. The default is FALSE. On the server-side, it’s on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).规定是否通过安全的 HTTPS 连接来传输 cookie。
httponly When TRUE the cookie will be made accessible only through the HTTP protocol. This means that the cookie won’t be accessible by scripting languages, such as JavaScript. This setting can effectly help to reduce identity theft through XSS attacks (although it is not supported b