php encrypted ssl session data_问答_开发者_运维开发者技术经验分享

php encrypted ssl session data

开发者 https://www.devze.com 2023-01-20 09:43 出处：网络

I have 2 servers running, one for the dynamic content (nginx, php) and another for login (apache2, php)

i use memcache to share the session information

i upgraded the server software and since then the session data in apache is encrypted

apache:

session::write("sessions/s53mqdhghmlrvnvjt05novt4m2","encrypted-data",0,1440)

nginx:

session::write("sessions/s53mqdhghmlrvnvjt05novt4m2","test|i:1;",0,1440)

on both servers the session-id's are the same, and the session cookie still passes the sessionId so that all still works like it should

both servers use the exact same php.ini

i looked in the ssl conf but i couldnt find anything that woul开发者_运维问答d set the session data to be encrypted

anyone know where i can stop the session data from being encrypted on apache/mod_ssl

edit:

well i've found a working sollution but i still havnt found the origion of the problem i do know that the session data has to leave the php process to be encrypted by mod_ssl and the session save handler is called at the cleanup operations by php after the script end.

But there is nothing of this behaviour documented in the docs.

the sollution is, for now, to not save the data provided by php at session::write, but rather to use the session_encode() to generate the session hash again and save that

for those of you reading this that do know how and why i would really like to know to turn off the directive that encrypts the data.

If you have suhosin module loaded, like I did, it's probably source of problem. You can disable it completely or turn of session encryption by setting suhosin.session.encrypt to off in suhosin ini file.

Session data is stored on the server and not inside the session cookie. If you read the cookie you will see that its just a string of characters that holds an ID. By default (and simply put), PHP stores the session data by serializing the $_SESSION array and writing it to a file. I am not really sure what you are trying to do is share session information across different environments. Since you mentioned memcached, just re-write the session handling functions to read and write to/from memcached. Since you will control how the data is stored, you can store the data encrypted or not. Here is reference about the session handeling funcitons:

http://us3.php.net/manual/en/book.session.php