与 PHP 共享 Laravel 身份验证/会话
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20968414/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Share Laravel authentication/session with PHP
提问by Kay Lucas
I'm trying to use Laravels authentication with a number of simple HTML/Javascript applications.
我正在尝试将 Laravel 身份验证与许多简单的 HTML/Javascript 应用程序一起使用。
The way I think it would ideally work is this:
我认为理想的工作方式是这样的:
- The user visits the simple HTML application
- The simple HTML application includes a PHP file which checks if a user is authenticated. If this is not the case the user is sent to the Laravel application to login, if the user is logged in he can simply use the application.
- The user logs in through Laravel and is redirected back to the HTML application where this process will start over again.
- 用户访问简单的 HTML 应用程序
- 简单的 HTML 应用程序包含一个 PHP 文件,用于检查用户是否已通过身份验证。如果不是这种情况,用户将被发送到 Laravel 应用程序进行登录,如果用户已登录,则他可以简单地使用该应用程序。
- 用户通过 Laravel 登录并被重定向回 HTML 应用程序,此过程将在那里重新开始。
The problem I have is checking whether a user is logged in the PHP script. Laravels session is not available there (and sharing it through session_start()and $_SESSION["auth"] = truewill only add the variable to Laravels version of the native PHP session).
我遇到的问题是检查用户是否已登录 PHP 脚本。Laravel 会话在那里不可用(并通过共享它session_start()并且$_SESSION["auth"] = true只会将变量添加到本机 PHP 会话的 Laravel 版本)。
These are the settings I have in app/config/session.php
这些是我的设置 app/config/session.php
return array(
'driver' => 'native',
'lifetime' => 120,
'files' => storage_path().'/sessions',
'connection' => null,
'table' => 'sessions',
'lottery' => array(2, 100),
'cookie' => 'laravel_session',
'path' => null,
'domain' => null,
);
I've changed the path to nullbecause I want to use the session on the entire domain.
我已将路径更改为 ,null因为我想在整个域上使用会话。
My included PHP script is very simple and looks like this:
我包含的 PHP 脚本非常简单,如下所示:
session_start();
if($_SESSION['authenticated']){
echo "logged_in";
} else {
header("Location: laravel/login/url");
}
You might wonder why I don't just include the application in Laravels framework, it's because there are about 100 different versions of this simple HTML application scattered over 10 domain names, at the moment every domain name has it's own (very old and insecure) login script (which is copied every time a new domain gets made). Therefor I want to centralize this with one database and one management system using Laravel.
你可能想知道为什么我不只将应用程序包含在 Laravels 框架中,这是因为这个简单的 HTML 应用程序有大约 100 个不同的版本分散在 10 个域名上,目前每个域名都有自己的(非常古老且不安全)登录脚本(每次创建新域时都会复制)。因此,我想使用 Laravel 将其集中在一个数据库和一个管理系统中。
Hopefully someone here knows how to fix this problem or work around it (maybe I should try to use Laravels session package in my PHP script?).
希望这里有人知道如何解决这个问题或解决它(也许我应该尝试在我的 PHP 脚本中使用 Laravel 会话包?)。
采纳答案by berrberr
Laravel uses storage drivers for it's session management - meaning trying to access it's contents through the PHP $_SESSION variable will never work. Your config is setting the default session driver to "native" which (I think) the file session driver, meaning all session data is stored in app/storage/sessions (I believe that it stores the session data in some JSON like structure). You can read more about the session drivers here.
Laravel 使用存储驱动程序进行会话管理——这意味着尝试通过 PHP $_SESSION 变量访问它的内容将永远不会工作。您的配置将默认会话驱动程序设置为“本机”(我认为)文件会话驱动程序,这意味着所有会话数据都存储在 app/storage/sessions 中(我相信它将会话数据存储在一些类似 JSON 的结构中)。您可以在此处阅读有关会话驱动程序的更多信息。
So to answer your question, there are a couple of ways that come to mind to solve this. What I would probably do is implement a simple custom session interface that will simply check if a user is logged in. You can set the user's session to logged in when you authenticate the user through your laravel form. For example:
因此,为了回答您的问题,我想到了几种方法来解决这个问题。我可能会做的是实现一个简单的自定义会话界面,该界面将简单地检查用户是否已登录。当您通过 Laravel 表单验证用户身份时,您可以将用户的会话设置为登录。例如:
if (Auth::attempt(array('email' => $email, 'password' => $password))) {
// Set your user's session to logged in here. You will have to implement some
// system to do so, the below code is INSECURE/NOT USEABLE
$_SESSION['user'] = $email;
}
And then you would do the reverse when the user logs out. As mentioned above, simply setting the user's session to logged in is very insecure for a multitude of reasons, the most glaring being session hiHymaning. (Thisis an excellent read on the subject) If you can implement a secure session management system (and really, it should not be difficult and will be lightweight) then I think that this strategy is your best bet.
然后当用户退出时你会做相反的事情。如上所述,由于多种原因,简单地将用户的会话设置为登录是非常不安全的,最明显的是会话劫持。(这是一篇关于该主题的优秀读物)如果您可以实现一个安全的会话管理系统(实际上,它应该不难,而且是轻量级的),那么我认为这种策略是您最好的选择。
The alternative is to try to use cookies as the session driver but doing so will add more layers of complexity and garbage as you will first have to get the Laravel session id from one cookie and use that to read another ... not an elegant solution.
另一种方法是尝试使用 cookie 作为会话驱动程序,但这样做会增加更多的复杂性和垃圾层,因为您首先必须从一个 cookie 中获取 Laravel 会话 ID 并使用它来读取另一个......不是一个优雅的解决方案.
So I would recommend using the first method I talked about and implementing a simple and secure session management system. Hope this helped!
所以我建议使用我谈到的第一种方法并实现一个简单而安全的会话管理系统。希望这有帮助!
回答by frzsombor
An other solution: using the following code you can boot into Laravel using the real Laravel session, so you can actually use Auth::check() for authorization and you don't even have to use the native $_SESSION.
另一种解决方案:使用以下代码,您可以使用真正的 Laravel 会话启动到 Laravel,因此您实际上可以使用 Auth::check() 进行授权,甚至不必使用本机 $_SESSION。
