在网上找了很多,终于搞明白了,也行不是最好的办法,但确实非常使用的方法。
其中最重要的就是 设置session id 至 本地 cookies 当中, 采用如下方法:
$currentSessionID = session_id();
和
session_id($currentSessionID );
简单实例:
Script 1(HTTP) :
<?php
// This script will create a session and display a link to your secure server address
// to transfer your session ID. In this example, the secure page to receive the session
// ID is located at http://www.yoursite.com/safePages/securePage.php
// Start a session using the current session ID stored in a cookie, or create
// a new session if none is set.
session_start();
$currentSessionID = session_id();
// Set a variable that will be retrieved with the HTTPS script.
$_SESSION['testvariable'] = 'It worked';
// $secureServerDomain is the domain of your secure server
$secureServerDomain = 'www.yoursite.com';
// $securePagePath is the path to the page that will receive and set the session ID.
$securePagePath = '/safePages/securePage.php'
echo '<a href="https://' . $secureServerDomain . $securePagePath . '?session="' . $currentSessionID . '">Click here to transfer your session to the secure server</a>';
?>
Script 2(HTTPS) :
<?php
// Retrieve the session ID as passed via the GET method.
$currentSessionID = $_GET['session'];
// Set a cookie for the session ID.
session_id($currentSessionID);
// Start a session.
session_start();
// Test retrieval of variable set when using HTTP.
if (!empty($_SESSION['testvariable'])) {
echo $_SESSION['testvariable'];
} else {
echo 'It did not work.';
}
?>
http://www.mysite.com/page.php 跳转到 https://www.mysite.com/page.php
或者
http://mysite.com 跳转到 https://mysite.com/page.php.
关于安全性:
应该讲和传统的登录验证安全性一样。都是不太安全的。因为sid的传输是没有加密的,别人也可以通过监听,嗅探来获取这个session id,也就获取了你的session数据。因此后面可以考虑将session id信息加密之后进行传输。
另一种就是采用数据库的方式:
见附件。
require_once "session.class.php";
$oSession = new Session();
print_r($_SESSION); // First
$_SESSION['hi'] = "lisha"; // Comment this Once sessoin is set
$_SESSION['test'] = "gideon"; // Comment this Once sessoin is set
echo '===========';
//Now use php sessions as usual
print_r($_SESSION); // First
说明一下的是,需要用到 session_set_save_handler 函数,它要配合 ini_set('session.save_handler', 'user'); 一起使用!