Laravel:“users”数据库表中的“remember_token”是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23262351/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Laravel: What is "remember_token" in the "users" DB table?
提问by Onion
Is it safe to use the remember_tokenin the users table for authenticating the user into the application?
使用remember_token用户表中的 来验证用户进入应用程序是否安全?
What is the purpose of this token? Currently, I'm using it in forms to check whether the user is logged in - if the token is not present, I show the login screen. Each time the user logs out, this token is regenerated.
这个令牌的目的是什么?目前,我在表单中使用它来检查用户是否已登录 - 如果令牌不存在,我会显示登录屏幕。每次用户注销时,都会重新生成此令牌。
回答by sidneydobber
No. It's not supposed to be used to authenticate. It's used by the framework to help against Remember Mecookie hiHymaning. The value is refreshed upon login and logout. If a cookie is hiHymaned by a malicious person, logging out makes the hiHymaned cookie useless since it doesn't match anymore.
不,它不应该用于身份验证。框架使用它来帮助抵御Remember Mecookie 劫持。该值在登录和注销时刷新。如果 cookie 被恶意人员劫持,注销会使被劫持的 cookie 变得无用,因为它不再匹配。
Refer to this documentation:
请参阅此文档:
回答by Cyril T
I had to add the remember_tokento my users table migration in order for Auth::logout()to work properly.
我必须添加remember_token到我的用户表迁移才能Auth::logout()正常工作。
Added remember_tokento my migrations as such.
添加remember_token到我的迁移中。
<?php
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;
class CreateUsersTable extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
//
Schema::create('users', function(Blueprint $table)
{
$table->increments('id');
$table->string('lname', 32);
$table->string('fname', 32);
$table->string('username', 32);
$table->string('email', 320);
$table->string('remember_token', 100);
$table->string('password', 64);
$table->timestamps();
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
//
Schema::drop('users');
}
}
From the command-line you the have to drop the users table, then migrate/seed.
从命令行你必须删除用户表,然后迁移/种子。
回答by LinusCDE98
Even if this an old question, I wanted to present an option not use the token if you don't need it (e.g. have no remember me option on your site).
即使这是一个老问题,我也想提出一个选项,如果您不需要它,则不使用令牌(例如,在您的网站上没有记住我的选项)。
Instead of adding a dummy column to your users table you can just prevent Auth::logout() from setting it.
您可以阻止 Auth::logout() 设置它,而不是向您的用户表中添加一个虚拟列。
Just add this to your User model (works as of Laravel 5.6):
只需将此添加到您的用户模型中(从 Laravel 5.6 开始工作):
public function save(array $options = array()) {
if(isset($this->remember_token))
unset($this->remember_token);
return parent::save($options);
}
This removes the 'remember_token' column just before the model gets saved and thus preventing an error to be risen because of the non-existant column.
这会在保存模型之前删除“remember_token”列,从而防止由于不存在的列而引发错误。
回答by DanielM
Laravel provides a CSRFtoken in a hidden input it automatically adds and validates whenever a form is submitted, whether you're logged in or not. If you're using their Form builder, this is happening without you even needing to check on it.
Laravel在隐藏输入中提供CSRF令牌,它会在提交表单时自动添加和验证,无论您是否登录。如果您使用他们的表单构建器,您甚至不需要检查它就会发生这种情况。
You should check if the user is logged in on submission using the Authfacade.
您应该使用Auth外观检查用户是否在提交时登录。
