如何注销Laravel 5.x中过期的会话? [英] How to log out of an expired session in Laravel 5.x?
问题描述
Laravel的最新版本(正确)使用POST退出会话.这样做的原因是,GET/HEAD只应用于被动操作以符合HTTP要求.
More recent versions of Laravel (correctly) use POST to logout of a session. The reasoning for this is that GET/HEAD should only be used for passive actions to be HTTP compliant.
使用csrf令牌发布消息还可以保护恶意用户/站点免于退出会话: https://security.stackexchange.com/questions/62769/必须登录并注销操作具有csrf保护
POSTing with a csrf token also protects malicious users/sites from logging you out of your sessions: https://security.stackexchange.com/questions/62769/must-login-and-logout-action-have-csrf-protection
但是,如果会话已经超时,并且用户单击注销(触发对注销路由的POST),则会收到令牌不匹配错误.这很有意义-令牌不匹配,因为会话已过期.
However if the session has already timed out, and the user clicks logout (which triggers a POST to the logout route) a token mismatch error is received. It makes sense - the token doesn't match, because the session has expired.
我可以根据请求变量捕获特定的TokenMismatchException,如果是这样,请以一种愉快的方式继续它们(到注销的重定向路径,说"home"或"/").像这样:
I can just catch that particular TokenMismatchException based on the request variables, and if so, continue them on their merry way (to the logged out redirect path, say "home" or "/"). Like this:
public function render($request, Exception $e)
{
if ($e instanceof TokenMismatchException && $request->getRequestUri() === '/logout') {
return redirect('/');
}
return parent::render($request, $e);
}
我的问题是:如果执行上述操作,那么令牌的首要位置是什么?以及如何在用户会话期满后注销用户,同时保持使用带有CSRF令牌的POST注销的预期结果?
My question is: if I do the above, what is the point of the token in the first place? And how to you logout a user when their session has expired while maintaining the intended outcomes of using a POST logout with a CSRF token?
推荐答案
对于Laravel 5.7,请参见下面的更新
检查身份验证的中间件应在检查CSRF令牌有效性的中间件之前运行.
The middleware that checks authentication should run before the middleware that checks the validity of the CSRF token.
这样,当会话过期时,您永远不会首先进入CSRF检查,因为您已经在身份验证中间件中检查了会话过期,并重定向到了那里的登录页面.
That way, when the session has expired, you never get to the CSRF check in the first place because you have already checked for session expiration in the authentication middleware and done the redirect to the login page there.
这不会影响注销的 valid 会话的CSRF保护,因为有效的会话将通过身份验证中间件进行.
This will not affect the CSRF protection of valid sessions logging out, because the valid session will make it through the authentication middleware.
默认情况下,Laravel中间件首先运行CSRF检查.但是,重新排列它们以其他方式工作应该很容易.
By default, the Laravel middleware runs the CSRF check first. However, it should be easy to reorder them to work the other way.
对于Laravel 5.7:
在Laravel 5.7中,Illuminate\Foundation\Http\Kernel类具有一个新字段:
In Laravel 5.7, the Illuminate\Foundation\Http\Kernel class has a new field:
/**
* The priority-sorted list of middleware.
*
* This forces non-global middleware to always be in the given order.
*
* @var array
*/
protected $middlewarePriority = [
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\Illuminate\Auth\Middleware\Authenticate::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\Illuminate\Auth\Middleware\Authorize::class,
];
此字段中出现的中间件类始终按照它们出现的顺序运行.该字段的默认设置如上所示. (Laravel入门项目对此列表只有一个更改:\App\Http\Middleware\Authenticate::class而不是\Illuminate\Auth\Middleware\Authenticate::class.)
Middleware classes that appear in this field are always run in the order in which they appear. The default setting for this field is shown above. (The Laravel starter project has only one change to this list: \App\Http\Middleware\Authenticate::class instead of \Illuminate\Auth\Middleware\Authenticate::class.)
如果将CSRF中间件添加到列表中(身份验证中间件下方的任何位置),则应确保该中间件始终按您想要的顺序运行.
If you add the CSRF middleware to the list (anywhere below the authentication middleware), that should ensure that it always runs in the order you want.
这篇关于如何注销Laravel 5.x中过期的会话?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
