如何销毁Symfony 2中的所有会话 [英] How to destroy all sessions in Symfony 2

问题描述

经过一些专家的详细调查和咨询，我想到了销毁会话的想法是不正确的.更好的问题是-«如何强制所有用户注销».

After detailed investigation and consultation with some experts, it occurred to me, that idea of destroying sessions is an incorrect one. The better question would be — «How to force all users to log out».

这个问题不应该从会话的角度解决，它是一个非常低级的机制，而应该从安全组件那里解决.即使您删除了所有会话数据，也将通过remember me cookie在下一个用户请求时重新创建它们.

And this problem should be solved not from the session perspective, which is a pretty low-level mechanism, but from the Security Component one. Even if you delete all session data, it will be re-created by means of remember me cookies with the next user requests.

稍后，我将尝试提供针对此问题的有效解决方案.

I will try to present the valid solution to this problem later on.

我需要实现所谓的锁定"应用程序功能，因此我需要一种方法将所有用户从Symfony 2应用程序中注销(关闭所有活动会话).

I need to implement a feature of so-called application «lockdown», so I need a way to log all users out of Symfony 2 application (close all active sessions).

实现此功能的最佳方法是什么?

What is the best way to achieve this functionality?

理想情况下，该解决方案应该与所有可能的保存完全兼容-处理程序.

Ideally, the solution should be fully compatible with all possible save-handlers.

SessionHandlerInterface似乎没有提供这样做的方法.

It looks like SessionHandlerInterface doesn't provide a method to do so.

推荐答案

一种编程方法应该是使用会话侦听器，如果存在特定事件(例如，数据库表中存在的标记/时间戳或某些特定事件)，则使会话无效.相似.

A Programmatic approach should be to use a session listener and invalidate the session if a particular event exist, something like a flag/timestamp alive in a database table or some similar.

如本文所述

根据会话的年龄使会话无效

use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;

class SessionListener
{

    /**
     * @var \Acme\DemoBundle\Service\SessionInvalidator
     */
    protected $sessionInvalidator;

    function __construct($sessionInvalidator)
    {
        $this->sessionInvalidator=$sessionInvalidator;
    }


    public function onKernelRequest(GetResponseEvent $event)
    {
        if ($event->getRequestType() !== HttpKernelInterface::MASTER_REQUEST) {
            return;
        }

        $session = $event->getRequest()->getSession();
        $metadataBag = $session->getMetadataBag();

        $lastUsed = $metadataBag->getLastUsed();
        if ($lastUsed === null) {
            // the session was created just now
            return;
        }

        // "last used" is a Unix timestamp

        if (! $this->sessionInvalidator->checkTimestampIsValid($lastUsed))
         $session->invalidate();
    }
}

和配置:

<service id="amce_security.verify_session_listener"
         class="Acme\DemoBundle\EventListener\SessionListener">
<argument type="service" id="acme.session_invalidator"/>
    <tag name="kernel.event_listener"
         event="kernel.request"
         priority="100"
         method="onKernelRequest" />
</service>

希望获得帮助

这篇关于如何销毁Symfony 2中的所有会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！