php Codeigniter - 会话过期和“记住我”功能
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14550213/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Codeigniter - Session expiration and "remember me" feature
提问by Jorg Ancrath
I'm building a "Remember Me" feature in Codeigniter, normally I see libraries/projects setting a cookie on the user with a token, this token gets saved in the database and is compared each time the user accesses the website.
我正在 Codeigniter 中构建“记住我”功能,通常我看到库/项目使用令牌在用户上设置 cookie,该令牌保存在数据库中,并在用户每次访问网站时进行比较。
In Codeigniter we can set the session expiration time though, this lead me to try a different approach, this is what I did:
在 Codeigniter 中,我们可以设置会话过期时间,这让我尝试了一种不同的方法,这就是我所做的:
- I set the session_expiration in config to 0 (infinite session)
- If the user leaves "Remember me" unchecked, I set a 2 hour time in the session and session destroy on window close.
- 我将配置中的 session_expiration 设置为 0(无限会话)
- 如果用户未选中“记住我”,我会在会话中设置 2 小时的时间,并在窗口关闭时销毁会话。
So my login code looks like this:
所以我的登录代码如下所示:
if (!$this->input->post('remember_me')) {
$this->session->sess_expiration = 7200;
$this->session->sess_expire_on_close = TRUE;
}
$this->session->set_userdata($session_data);
And my config file:
还有我的配置文件:
$config['sess_expiration'] = 0;
$config['sess_expire_on_close'] = FALSE;
I don't see people using this solution on projects, I have tested this out and it seems to work fine though.
我没有看到人们在项目中使用此解决方案,我已经对此进行了测试,但它似乎工作正常。
SO, for my question, would you say this a safe practice to do? Any security dangers I should know about? Any input on this solution vs cookie+database token would be great.
所以,对于我的问题,你会说这是一种安全的做法吗?我应该知道的任何安全危险?对此解决方案与 cookie + 数据库令牌的任何输入都会很棒。
回答by ramz
The simpliest solution that I have found for this problem is to just modify the cookie created by Codeigniter by this way:
我为这个问题找到的最简单的解决方案是通过这种方式修改由 Codeigniter 创建的 cookie:
$this->session->set_userdata('user', $user); // a cookie has been created
if($this->input->post('remember_me'))
{
$this->load->helper('cookie');
$cookie = $this->input->cookie('ci_session'); // we get the cookie
$this->input->set_cookie('ci_session', $cookie, '35580000'); // and add one year to it's expiration
}
回答by Sadat
Also this can be done by editing/extending system Session library.
这也可以通过编辑/扩展系统会话库来完成。
First:Set regular session expire time in config file. Second:In user login function add remember me check-
第一:在配置文件中设置常规会话过期时间。 第二:在用户登录功能中添加记住我检查-
if($remember)
{
$data['new_expiration'] = 60*60*24*30;//30 days
$this->session->sess_expiration = $data['new_expiration'];
}
$this->session->set_userdata($data);
Third:Edit system Session library [I am not sure whether extending Session will work or not]
Go to this line in sess_read()method
第三:编辑系统Session库【我不确定扩展Session是否有效】在sess_read()方法中转到这一行
if (($session['last_activity'] + $this->sess_expiration) < $this->now)
Before that line add following code
在该行之前添加以下代码
if(isset($session['new_expiration'])){
$this->sess_expiration = $session['new_expiration'];
}
This works fine for me.
这对我来说很好用。
回答by itsme
I can't say it's not right, but I can tell you my way of doing this:
我不能说这是不对的,但我可以告诉你我这样做的方式:
First I set the session to expires on browser close with a default uptime of 7200.
首先,我将会话设置为在浏览器关闭时过期,默认正常运行时间为 7200。
Then:
然后:
The login sets session userdata
The "remember me" sets a separated cookie (I store an encrypted hash containing user's email+password+id ie: md5(pass+email+id))
登录设置会话用户数据
“记住我”设置了一个单独的 cookie(我存储了一个包含用户电子邮件+密码+id 的加密哈希,即:md5(pass+email+id))
Every time the user loads a page I control if the remember me cookie exist, if exist I create the user session.
每次用户加载页面时,我都会控制是否存在记住我的 cookie,如果存在,我会创建用户会话。
The only thing I know is that session, uses an encryption key, a malicious attacker will take time to decrypt, so the less a session key exist the less time attacker has for decrypt the current key.
我唯一知道的是该会话使用加密密钥,恶意攻击者需要时间来解密,因此会话密钥存在的越少,攻击者解密当前密钥的时间就越少。
I always avoid session to not expire, so the Remember me, is always something not good for security I think, but anyway is the user to choose or not if to use that feature ;)
我总是避免会话不过期,所以记住我,我认为总是不利于安全,但无论如何用户是否选择是否使用该功能;)
