私は uploadify を使用しており、スクリプト (adobe flash を使用) は、アップロード アクション URL を要求するときに、現在のセッションを使用する代わりに新しいセッションを作成します。これを修正するには、セッション ID を先に渡す必要があります。
セッション固定 (ハイジャック) を許可せずにこれを行う方法はありますか?
問題の詳細は次のとおりです。 セッションとアップロード
ありがとう!
6621 次
1 に答える
2
Create a temporary upload session in your script (untested, but you get the point about being able to have several different sessions):
<?php
//normal session
session_start();
//store sessionid for retrieval
$oldsessionid = session_id();
if($_SESSION['logged_in']){ //or however you check for a valid user
//stop old/normal session
session_write_close();
//create a new sessionname
$oldname = session_name('UPLOADSESSION');
//create a new id (fixed here, you might want a random number/char combo:
session_id('myuploadsessionid');
//start the session
session_start();
$_SESSION['upload'] = true;
$uploadid = session_id();
//now you can use `'data: "artist="+$fi+"&UPLOADSESSION="'.$uploadid` in uploadify
session_write_close();
}
//return to normal name
session_name($oldname);
//set old session id
session_id($oldsessionid);
//resume normal session
session_start();
So, in your receiving script:
<?php
session_name('UPLOADSESSION');
session_id($_POST['UPLOADSESSION']);
session_start();
if(isset($_SESSION['upload']) && $_SESSION['upload']){
//accept files
//invalidate session after this upload
$_SESSION['upload'] = false;
}
The user will still have 2 cookies, and possibly UPLOADSESSION is fixated, but you don't use it for anything else then uploading, and only for 1 upload (although you might want to allow more).
Alternatively, you could just call a session_regenerate_id(); on the first request after an upload (just set a flag in the $_SESSION on upload).
于 2010-11-04T21:26:45.580 に答える