问题
We're using Drupal on a number of sites. On all but one server, the data in the sessions table appears as a serialised string. This is normal behaviour AFAIK.
On the exception server, the session data is stored looking like,
_C0c5x_xpVKkya5nD68ChpaKaHYNzWTlEN52gOCkH1fIAvj3ziCydGnNbLXTO75q_pYLhumOYHzxD1D
_ue5tRgeeQR4YUIDWtAZ2hxlJ7QUHS-KvUnYb5tHMFUCpFuGMY4brDUfOwlUScSgC1cVvuT51cm62bD
jmU1XBvVAtZAfNrHpwgcy_-YE9a9ViXd4Jdzy7yzYo8ZGXoh0_p-xs3vfuQnsiCe3KkH89q_YiZwux8
(all one line, and very much longer than this)
Is it the result of PHP's session.serialize_handler configuration seting?
What's this? How can it be disabled?
Here's an example session entry from site A - this is what I'd like to see:
captcha|a:1:{s:12:"comment_form";a:3:{s:32:"5ce32afb28f38e2ec854eb2f9340e2e5";b:1;s:7:"success";b:0;s:32:"ba52f551aa38e84111938ef9fc2111e4";b:1;}}
And here's one from site B, with the "encoded" session data:
tYeyamtSbI6U_Z5a0DXCwL1pwoY5DUBDNOTDjyftul9Z4TLMMDdVr_8HxPWTleQ8wrTIEPyRAdxb6Ukz69tSEQ..
The encoded values always end with a period.
回答1:
The cause was Suhosin's transparent session encryption.
Relevant notes at php.net (on session_set_save_handler()) and hardened-php.net (on suhosin config)
来源:https://stackoverflow.com/questions/1005041/php-drupal-session-storage-and-encryption