即使浏览器意外关闭，如何保持会话活动? [英] how to keep the session active even if the browser was accidentally close?

问题描述

我想在我的网站上添加一些东西.

I want to add something to my site.

即使他们不小心关闭了浏览器，如何保持用户的会话处于活动状态.例如在Facebook中.

How can I keep the user's session active, even if they accidentally closed their browser. Like in facebook for example.

如果您登录到他们的网站并关闭选项卡或浏览器，那么当您再次打开浏览器并访问Facebook时，他们将自动检测到活动用户，并且不会将您重定向到登录页面.

If you log in to their site and you close the tab or the browser, when you open a browser again and visits facebook, they will automatically detect the active user and will not redirect you to the log in page.

我该怎么做?

推荐答案

有两个相关设置可控制会话的生存期.

There's two relevant settings that control session's lifetime.

第一个是 session.cookie-lifetime .这是cookie的生存期，默认情况下为0，这意味着在关闭浏览器时会破坏cookie.您可以通过增加此变量来设置更长的寿命.它与服务器时间有关，因此您需要考虑客户端计算机和服务器计算机中时间的差异.假设它们相同，则将选项设置为3600表示会话将在一小时内到期.如果要长时间保持会话状态，请增加此数字.

The first is session.cookie-lifetime. This is the lifetime of the cookie, which by default is 0, which means the cookie is destroyed when the browser is closed. You can set a longer lifetime by increasing this variable. It is relative to the server time, so you need to account for differences in the time in your clients' machine and your server's. Assuming they were the same, setting the option to i.e. 3600 would mean the session would expire in an hour. If you want to keep the session alive for a very long time, you increase this number.

但是，仅更改此值是不够的.还有 session.gc-maxlifetime ，这是会话数据在存储中被视为垃圾并被销毁之后的时间.这与session.cookie-lifetime不同，因为此选项检查会话数据的最后访问时间，因此它与会话数据的最后使用时间(即用户上一次活动的时间)有关.即使将 session.cookie-lifetime 设置为较高的值，这也不足够，因为session.gc_maxlifetime通常相对较低(1440是默认值，仅为24分钟)

However changing this value is not enough. There's also session.gc-maxlifetime, which is the time after which the session data is seen as garbage in the storage and is destroyed. This differs from session.cookie-lifetime because this option checks the last access time of the session data, so it is relative to the time the session data was last used (i.e. when the user was last active). Even if you set your session.cookie-lifetime to a high value, it'll not be enough because session.gc_maxlifetime is relatively low usually (1440 is the default, which is only 24 minutes).

虽然您可以将这些设置都设置为相对较高的值并使它起作用，但我建议不要这样做，因为由于GC无法收集实际值，这将在会话存储中留下很多不必要的会话数据.死会话(这也增加了有人在没有适当保护的系统中劫持会话的机会).更好的方法是制作一个记住我 cookie.基本上，您为cookie中的每个用户分配了用户的ID和一些存储在数据库中的身份验证令牌(这是为了防止某人欺骗cookie)，并使其具有较长的使用寿命.在应用程序的初始化代码中，您将检查用户是否登录.如果他/她未登录，则将检查是否设置了记住我 cookie.如果是这样，则根据cookie中的用户ID从数据库中拉出用户，然后验证db中的身份验证令牌是否与cookie中的身份验证令牌相同.如果它们匹配，您只需创建会话并自动登录用户即可.

While you can set these settings both to relatively high values and have it working, I would recommend against doing so, as this will leave a lot of unnecessary session data hanging around in your session storage, due to the GC not collecting actual dead session (which also increases the chance of someone hijacking a session in a system that is not properly secured). A better approach is making a remember me cookie. Basically you assign the user's ID and some authentication token that you store in the database for each user (this is to prevent someone spoofing the cookie) in the cookie, and give it a long lifetime. In your application's initialization code you'll check if the user is logged in. If he/she is not logged in, you'll check if the remember me cookie is set. If it is, you pull the user from the database based on the user ID in the cookie, and then validate the authentication token in the db is the same one as in the cookie. If they match, you simply create the session and log the user in automatically.

这篇关于即使浏览器意外关闭，如何保持会话活动?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！