I am considering always passing ?PHPSESSID=x in the query string for
each relevant url as a workaround.
Questa non è la migliore pratica, ma se decidi di scegliere questo metodo (perché è facile), puoi fare qualcosa del genere:
<?php
define("COOKIE_NAME", "PHPSESSID");
define("DOMAIN", "example.com");
function is_valid_cookie($cookie){
//Test if the cookie is valid and does not have any malicious chars (";", etc)
//...
return true;
//...
return false;
}
function is_logged_in(){
//Test if the user is logged in
//...
return true;
//...
return false;
}
function sanitize_url($url){
//Sanitize URL
//If you have PHP >= 4.4.2 or PHP >= 5.1.2, I believe you have nothing to worry here
//...
return $url;
}
function remove_querystring_var($url, $toRemove){
//Removes $toRemove from query string of the $url
$parsed = array();
parse_str(substr($url, strpos($url, '?')+1), $parsed);
$url = substr($url, 0, strpos($url, '?'));
unset($parsed[$toRemove]);
if(!empty($parsed)){
$url .= '?' . http_build_query($parsed);
}
return $url;
}
if(isset($_GET[COOKIE_NAME])){
if(is_valid_cookie($_GET[COOKIE_NAME])){
setcookie(COOKIE_NAME, $_GET[COOKIE_NAME], time()+24*3600, "/", ".".DOMAIN, true, true);
header("Location: ".sanitize_url(remove_querystring_var("https://".DOMAIN.$_SERVER["REQUEST_URI"], COOKIE_NAME)));
exit(0);
}
else{
header("Location: ".sanitize_url(remove_querystring_var("https://".DOMAIN.$_SERVER["REQUEST_URI"], COOKIE_NAME)));
exit(0);
}
}
else if(!is_logged_in()){
echo "Invalid session!";
exit(0);
}
//...
echo "Welcome!";
?>
Esempio:
link
Google utilizzerà ed esclude la variabile & auth, ma manterrà il & qualsiasi cosa, poiché & ha l'autorizzazione per i dati sensibili per Google.