在一个响应中设置并检查Cookie-Laravel [英] Set and Check Cookie in the one response - Laravel

问题描述

我正在尝试设置cookie，然后检查是否已设置cookie.

I am attempting to set a cookie and then check to see if the cookie has been set.

因此，在一个函数中，我让它制作了cookie:

So in one function, I have it make the cookies:

public function makeCookies(){
    Cookie::queue('logged_in', $value, 15);
    Cookie::queue('user_id', 2);
    //return Response::make()->withCookie(Cookie::make('logged_in', $value, 15))->withCookie(Cookie::forever('user_id', 2));
}

在另一个功能中，我尝试检查cookie是否已设置:

And in the other function, I try to check to see if the cookie has been set:

public function checkCookies(){
         $this->makeCookies();
         if(Cookie::get('logged_in') && Cookie::get('user_id')){
              return 'Logged In!';
         }
}

但是，唯一可行的方法是在$ this-> makeCookies()之前添加"return"；但是，我希望能够达到下面的条件.我有什么办法可以做到这一点?任何帮助，我们将不胜感激.

However the only way this works is if I add 'return' before $this->makeCookies(); However, I want to be able to get to the conditional below it. Is there any way I can go about doing this? Any help is greatly appreciated.

推荐答案

了解Cookie的创建/读取过程:

To understand the Cookie Creation/Read process:

1. 用户的浏览器发送页面请求，以及该站点当前具有的所有cookie
2. 该网站为页面提供服务，您创建的任何cookie都将成为响应中的标题.
3. 对您网站的后续请求将发送在#2中创建的cookie.

您要问的是什么...以便能够读取您在步骤#1中在步骤#2中创建的cookie ...

What you are asking...to be able to read cookies that you create in step #2 in step #1...not possible.

现在，根据Cookie类的创建方式，您可以使其创建，以便在调用Cookie :: queue()时，它会创建内存数据，该数据反映下一个Cookie的应为".请求，但它并不真正知道用户的浏览器是否接受cookie等.

Now, depending on how the Cookie class is created, you could make it so that when the Cookie::queue() is called, that it creates in-memory data that reflects what the cookie "should be" on the next request, but it doesn't truly know whether or not the user's browser will accept cookies, etc.

这就是为什么许多网站在创建Cookie后都会向用户重定向到带有诸如?checkCookie = 1之类的页面的原因.这样，在随后的请求中，他们可以验证您的浏览器是否支持cookie ...并且，如果在"checkCookie"页面上不存在该cookie，则会给您一个错误，指出其站点需要cookie支持.但是，确实需要对服务器进行第二轮操作才能从已创建的浏览器中读取Cookie.

This is why many sites, after creating a cookie give the user a redirect to a page with something like ?checkCookie=1. This way, on the subsequent request, they can verify that your browser supports cookies...and if the cookie doesn't exist on the ?checkCookie page, they give you an error saying that their site requires cookie support. However, it does require a second round to the server to read cookies from the browser that were created.

更新2015-04-24 根据@ Scopey，Laravel支持通过queued()在内存中检索Cookie.因此，您应该可以:

UPDATE 2015-04-24 Per @Scopey, Laravel does support in-memory retrieval of cookies via queued(). So, you should be able to do:

public function checkCookies(){
    $this->makeCookies();
    $loggedIn = Cookie::get('logged_in') ?: Cookie::queued('logged_in');
    $userId   = Cookie::get('user_id') ?: Cookie::queued('user_id');
    if( $loggedIn && $userId ){
        return 'Logged In!';
    }
}

安全问题(不直接回答问题)

您的问题仅是关于cookie的，这就是我所回答的全部.但是，既然我正在查看您的代码，我会为不为任何碰巧正在阅读本文的人指出这一点而感到困惑.这可能只是您自己的操作方法"，而不是生产代码，但是如果该代码公开，则可能非常危险.

Your question was only about the cookies, so that's all I answered. However, now that I'm looking at your code, I feel I would be remiss not to point this out for anyone that happens to be reading this. This may just be a "how to" for yourself and not production code, but that code could be very dangerous if it ever went public.

确保您不信任存储在cookie中的user_id来确定通过cookie进入的用户.如果您依靠它，而我来到您的网站，则可以将Cookie修改为所需的任何user_id，并进入其他人的帐户.

Make sure you do NOT TRUST a user_id stored in a cookie to determine what user is coming in via cookies. If you rely on that, and I come to your site, I can modify my cookie to any user_id I want and get into other people's accounts.

一般安全规则:

Cookie应该包含一个GUID或类似的随机字符串来标识会话.该随机字符串应足够长(例如32个字符或更大，恕我直言)，以免有人用暴力手段劫持会话.

A cookie should contain a GUID, or similar random string to identify the session. This random string should be sufficiently long (e.g. 32 characters or greater, IMHO) that it is not easy for someone to brute-force their way to hijacking sessions.

user_id应该存储在$ _SESSION(或适用于会话的laravel的包装器)中，以便用户无权访问user_id才能对其进行修改.

The user_id should be stored in the $_SESSION (or laravel's wrapper for session if applicable) so that the user doesn't have any access to the user_id to be able to modify it.

在普通的PHP中，登录页面类似于以下内容:

In plain PHP, this something like this for the login page:

session_start();
if( isValidPassword($_POST['username'], $_POST['password']) ) {
    $_SESSION['user_id'] = $user->Id;
}
else {
    die('invalid login credentials');
}

session_start()方法会使用随机的长字符串自动为用户生成Cookie(因此您甚至不必担心该部分.)

The session_start() method automatically generates a cookie for the user with that long, random string (so you don't even have to worry about that part.)

在随后的页面上，您只需检查会话user_id即可知道谁登录:

On subsequent pages, you just check the session user_id to know who is logged in:

session_start();
if( empty($_SESSION['user_id']) ) {
    die('You are not logged in and cannot access this page');
}

根据Laravel的文档进行必要的更改，如果他们有自己的会话包装器，我相信最好的实践文档已对此进行了很好的记录.

Change as needed per Laravel's documentation, which if they have their own session wrapper, I'm sure is well documented on best practices.

这篇关于在一个响应中设置并检查Cookie-Laravel的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！