React前端服务器和PHP/Symfony后端服务器之间的共享会话 [英] Sharing session between React front-end server and PHP/Symfony back-end server

问题描述

我有一个包含运行React的前端服务器和运行PHP/Symfony的后端服务器的应用程序.前端的一部分是使用树枝模板开发的(主要是用于更新内容的后台表单)，并由同一台后端服务器处理，而一部分则是使用React开发的，并驻留在单独的前端服务器中(供公众使用)用户访问权限，还有更多功能).

I have an application with consists of a front-end server running React and a back-end server running PHP/Symfony. Part of the front-end is developed using twig templates (mostly backoffice forms for updating content) and is handled by the same back-end server, and part of it is developed using React and resides in the separated front-end server (for public user access, with some more functionality).

系统具有三个用户角色:超级管理员(通过针对Symfony中配置的内存中用户的表单进行身份验证)，后台办公室员工(针对数据库中的User实体通过同一表单进行身份验证)和公共用户"通过第三方服务进行身份验证，这种语言使用了应用程序的公共端，最终要求我们使用以下类似代码在我们的一个API内启动会话:

The system has three user roles: a superadmin (authenticated through a form against an in-memory user configured in Symfony), backoffice employee (authenticated through the same form against the User entity in the database) and a "public user" sort of speak, which uses the public side of the application, authenticated through a third party service which, in the end, requires us to start a session inside one of our APIs with a code similar to this:

        $token = new UsernamePasswordToken($publicUserEntity, null, 'main', $publicUserEntity->getRoles());
    $this->get('security.token_storage')->setToken($token);
    $this->get('session')->set('_security_main', serialize($token));

可以通过三种方式成功验证用户身份，但是仅当我在后端服务器中时才打开会话，而当我从前端服务器发出请求时才打开会话.

Users are successfully authenticated in the three ways, but session is only open if I am in the backend server and not if I make a request from the frontend server.

例如，在我以公共用户身份登录后，如果我请求以下内容:

For example, after I login with a Public User, if I make a request to:

http://backendserverhost/api/someentity/me

该API会加载当前会话的用户ID以获取用户的数据，并且根据经过身份验证的用户，我会得到正确的响应.

That API loads the current session's User Id to get the user's data, and I get a proper response according to the authenticated user.

但是如果我从前端服务器(向相同的API和相同的端点)发出相同的请求以获取相同的信息并显示该信息，它将返回一个错误，就好像它是一个匿名用户一样.

But if I make the same request from the frontend server (to the same API, and same endpoint) in order to get the same information and show it, it returns an error as if it was an anonymous user.

我应该怎么做才能使用"后端服务器中打开的会话来发出前端服务器请求?

What changes should I do to be able to "use" the opened session in the backend server to make the frontend server requests?

推荐答案

基于所有建议，我最终找到了两种不同的解决方案:

I ended up finding two different solutions, based on all suggestions:

基于Cookie的身份验证(我现在正在使用的身份验证):如上所述，我在控制器中启动了会话，并获取了会话ID.我将其发送到查询中的React前端服务器，他们在请求中将其用作"PHPSESSID" Cookie以进行身份​​验证.

Cookie-based authentication (the one I am using right now): I start the session in the controller as shown above, and obtain the session ID. I send it to the React front-end server in the query, and they use it in their requests as the "PHPSESSID" Cookie in order to authenticate.

    //Assign session to user
    $token = new UsernamePasswordToken($userEntity, null, 'main', $userEntity->getRoles());
    $this->get('security.token_storage')->setToken($token);
    $this->get('session')->set('_security_main', serialize($token));

    //Redirect to homepage
    $redirectUrl = $this->container->getParameter('zafter_login_redirect_url');
    $response = new RedirectResponse($redirectUrl . '?login=' . $this->get('session')->getId());
    $cookie = new Cookie('PHPSESSID', $this->get('session')->getId());
    $response->headers->setCookie($cookie);
    return $response;

事实证明，这是解决问题的最快，最简单的方法，因为它不需要编写任何代码，不需要任何新的依赖项或捆绑软件，而且我只需要在登录API中修改响应即可.

This proved to be the fastest and simplest way to solve the problem, since it requires little coding, no new dependencies or bundles, and I only had to modify the response in the login API.

基于令牌的身份验证(我可能最终会使用该身份验证，因为它对移动客户端也很有用):使用实现JWT身份验证的捆绑软件(例如LexikJWTAuthenticationBundle)，我会生成一个登录后使用身份验证令牌，将其发送到请求中，然后客户端(React或Mobile)将其用于次安全请求中的身份验证.

Token-based authentication (the one I will probably end up using, since it is also useful for the mobile client): Using a bundle that implements JWT authentication (such as LexikJWTAuthenticationBundle) I generate an authentication token after login, send it in the request, and the client (either React or Mobile) uses it to authenticate in subsecuent requests.

该程序包的文档中详细介绍了该过程: https://github.com/lexik/LexikJWTAuthenticationBundle

The process is detailed in the bundle's documentation: https://github.com/lexik/LexikJWTAuthenticationBundle

这篇关于React前端服务器和PHP/Symfony后端服务器之间的共享会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！