闲置后Zend Framework自动注销 [英] Zend Framework Automatic Logout after inactivity

问题描述

我正在开发一个包含多个子应用程序的应用程序，我想在闲置30分钟后实现自动注销.我有一个AuthController，具有使用Bootstrap.php映射到自定义/login和/logout路由的登录和注销操作，以及一个如下所示的前端控制器插件:

I'm working on an application that houses several sub applications and I'd like to implement an auto logout after 30 minutes of inactivity. I have an AuthController with login and logout actions mapped to custom /login and /logout routes using the Bootstrap.php as well as a front controller plugin that looks like this:

class Plugin_SessionTrack extends Zend_Controller_Plugin_Abstract {

    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {  

        $employeeSession = new Zend_Session_Namespace('employeeSession');
        $employeeSession->setExpirationSeconds(10);

    }
}

我是PHP和Zend的新手，十秒钟后会话究竟发生了什么?我将其设置为较低以进行测试.我想发生的事情是，如果通过前端控制器插件发出的最后一个请求的时间早于30分钟，请销毁会话并注销用户，然后将其重定向到/login.

I'm new to PHP and Zend, what exactly is happening to the session after 10 seconds? I have it set low for testing. What I'd like to have happen is if the time of the last request through the front controller plugin was greater than 30 minutes ago, destroy the session and log the user out and redirect them to /login.

很明显，我没有跟踪上一个请求的时间，但我希望每次用户有一个请求通过此preDispatch方法时，都会刷新setExpirationSeconds.

I can see obviously that I'm not tracking the time of the last request but my hope was that the setExpirationSeconds would be refreshed each time the user has a request come through this preDispatch method.

也许需要使用cookie?我不需要实际启动注销操作，只需在用户下一次发出请求时就可以处理该操作，如果他们在过去半小时内未执行任何操作，则该会话被销毁并注销了，这意味着如果我走了45分钟，我的屏幕看起来还是一样，但是如果我单击链接或尝试提交表单，我将其发送到/login.稍后我会担心某种类型的JS倒数警告.

Maybe a cookie needs used? I don't need to actually initiate a logout action, it can just be handled the next time the user makes a request, if they've not done anything in the last half hour the session is destroyed and they're logged out, meaning if I walk away for 45 minutes my screen still looks the same but if I click a link or try and submit a form I had up it sends me to /login. I can worry about some type of JS countdown warning later.

这是我的引导程序，如果有人想看到它:

Here's my bootstrap if anyone wants to see it:

class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
{
    /**
     * Custom routes:
     * 
     * /login
     * /logout
     */
    protected function _initRoutes()
    {

        $router = Zend_Controller_Front::getInstance()->getRouter();

        $loginRoute = new Zend_Controller_Router_Route('login', array('controller' => 'auth', 'action' => 'login'));

        $logoutRoute = new Zend_Controller_Router_Route('logout', array('controller' => 'auth', 'action' => 'logout'));

        $routesArray = array('login' => $loginRoute, 'logout' => $logoutRoute);

        $router->addRoutes($routesArray);

    }

    protected function _initPlugins()
    {

        $frontController = Zend_Controller_Front::getInstance();
        $frontController->registerPlugin(new Plugin_SessionTrack());

    }
}

推荐答案

当您呼叫Zend_Session::setExpirationSeconds(10)时，会话本身在10秒后实际上没有任何反应.

When you call Zend_Session::setExpirationSeconds(10), nothing is actually happening to the session after 10 seconds time per se.

此调用使Zend_Session存储一个内部值，该内部值将该会话名称空间标记为从调用之时起在time() + $seconds处到期.每次Zend_Session启动时，它都会检查是否有任何会话数据被标记为过期，如果是，它将继续进行检查以查看过期时间或跳数是否已经过去.如果真是这样，那么有关的会话数据将在初始化时未设置，因此您的应用程序将不再可以访问该数据.

This call causes Zend_Session to store an internal value marking that session namespace for expiration at time() + $seconds from the time the call is made. Each time a Zend_Session starts, it checks to see if any session data is marked for expiration, and if so proceeds to check to see if the expiration time or hop count has passed. If that is the case, then the session data in question is unset at initialization, and is therefore no longer accessible by your application.

如果您在每个请求开始时都进行此调用，则每次加载页面时，它应继续将会话的寿命延长这么多秒.

If you make this call at the beginning of every request, it should continue to prolong the life of the session by that many seconds on each page load.

请记住，如果将php.ini中的会话设置设置为在15分钟后过期，那么将命名空间设置为在60分钟后过期将不会覆盖PHP的15分钟的会话生存期.您可以在application.ini文件中对PHP的会话指令进行此类调整.

Keep in mind that if the session settings in php.ini are set to expire the session after 15 minutes, setting a namespace to expire after 60 minutes will not override PHP's session lifetime of 15 minutes. You can make such adjustments to PHP's session directives in your application.ini file.

在名称空间上设置到期时间还具有自动删除某些会话数据而不必破坏整个会话的优点.

Setting an expiration on the namespace also has the advantage of automatically removing some session data without having to destroy the entire session.

我不知道您的应用程序的详细信息，但是您可以使用该插件检查并查看它们是否已注销，并将请求转发到您的登录页面.您可以在创建名称空间后检查有效的登录名，但还需要确保当前请求不是登录尝试.或者，您可以推迟检查插件中的有效登录名，然后让您的ACL在控制器级别上进行处理.

I don't know the specifics of your application, but you could use the plugin to check and see if they are logged out and forward the request to your login page. You could check for a valid login after creating the namespace, but you also would want to make sure that the current request wasn't a login attempt. Or you could just defer checking for valid login in the plugin and let your ACL handle that later at the controller level.

您可能还想研究 Zend_Auth ，您可以使用它来持久保存会话中的身份.身份可以是任何值，从表明是否已登录的简单布尔值到实现Zend_Acl_Role_Interface的完整用户对象. Zend Auth也很容易扩展，因此您可以通过为每个实例使用不同的名称空间来同时激活多个Zend_Auth会话，并且可以让您的自定义auth类在不同的会话名称空间上设置不同的时间限制.

You may also want to look into Zend_Auth which you can use to persist an identity in the session. The identity can be anything from a simple boolean value indicating if they are logged in, to a full blown user object that implements Zend_Acl_Role_Interface. Zend Auth is also easily extended so you can have multiple Zend_Auth sessions active at the same time by using different namespaces for each instance, and could have your custom auth class set different time limits on different session namespaces.

我希望这有助于回答您的问题，如果您对我所说的内容有疑问，请随时发表评论.

I hope that helps answer your question, feel free to comment if you have questions on what I said.

我测试了以下代码，并在设置的时间后成功使我的Zend_Auth身份过期.我用60秒测试了它的低位状态，等待60秒加载页面后，我不再拥有和标识，被注销".您可以将其添加到会话跟踪插件中.

I tested the following code and it successfully expired my Zend_Auth identity after the set time. I tested it low with 60 seconds and after waiting 60 seconds to load the page, I no longer had and identity and was "logged out". You could add this to your session track plugin.

<?php
$auth = Zend_Auth::getInstance();

if ($auth->hasIdentity()) { // user is logged in
    // get an instance of Zend_Session_Namespace used by Zend_Auth
    $authns = new Zend_Session_Namespace($auth->getStorage()->getNamespace());

    // set an expiration on the Zend_Auth namespace where identity is held
    $authns->setExpirationSeconds(60 * 30);  // expire auth storage after 30 min
}

这篇关于闲置后Zend Framework自动注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！