使用Zend_Session :: rememberMe持久登录 [英] persisted login with Zend_Session::rememberMe

问题描述

我正在使用Zend_Session来管理用户会话，并且希望在我的应用程序中实现记住我"选项，以使用户保持登录状态大约2周.

I'm using Zend_Session to manage my user sessions, and I was looking to implement a "Remember Me" option in my application to keep users logged in for 2 weeks or so.

我注意到Zend_Session已经有一个名为Zend_Session::rememberMe的内置函数，但是我不确定该函数逻辑是否正确用作持久登录.

I've noticed that Zend_Session already has a built-in function called Zend_Session::rememberMe, however I'm not sure if that function logic is correct to use as a persisted login.

从本质上讲，RememberMe函数只是延长了活动会话的有效期，这意味着如果用户使用记住我"选项，则他将在活动会话中保持登录状态2周.

Essentially, the rememberMe function just extend the active session expiration date, which means if the user use the remember me option, he'll stayed logged in for 2 weeks with an active session.

这带来了2个主要问题.

This brings up 2 major issues.

1. 我将会话存储在数据库中，这意味着所有这些不活动的用户在会话表中存储了2周.我有超过5万个非活动会话，这正在损害应用程序的性能.
2. 我想知道用户在闲置24小时后是否回到网站，并重新验证其信息.由于他的会议保持开放状态，我无法真正确定他是否在1小时或1周后回来，因为他具有相同的有效会议ID.

我已经读到，如果要实现记住我"功能，则不应为此使用会话cookie，而应该创建另一个登录cookie"以记住散列的user_id和令牌.这是完整的说明:什么是实现记住我"的最佳方法一个网站?

I've read that if I want to implement a remember me feature, I shouldn't use the session cookie for that, and I should create another "login cookie" to remember a hashed user_id and a token. here's the complete explanation: What is the best way to implement "remember me" for a website?

那么，如果使用zend Framework会产生性能和安全性问题，为什么还要提供这种功能呢?

So why does zend framework offers such a function, if using it can create performance and security issues?

推荐答案

+1指出了Zend的记住我"功能背后的主要缺陷.有些人不知道，无论会话处理程序是基于文件还是基于数据库，尝试延长会话生存期都将受到惩罚.允许过时的会话持续超过合理的时间范围是一个较弱的解决方案，您最好实施由您提供的链接概述的自定义cookie解决方案.

+1 for noting the major flaw behind Zend's approach to the 'remember me' functionality. Some people don't understand there is a penalty to be had when they attempt to extend the session lifetime, regardless of the session handler being file or db based. Allowing stale sessions to persist beyond a reasonable time-frame is a weak solution and you are better off implementing a custom cookie solution outlined by the link you provided.

您问题的直接答案；谁知道.也许他们没有考虑到许多用户选择数据库会话处理这一事实，并认为在文件系统上堆积陈旧的会话cookie对性能没有直接影响.

The direct answer to your question; who knows. Maybe they didn't consider the fact that many users opt for database session handling, and figured piling up stale session cookies on the filesystem had no direct impact on performance.

此外，如果您想跟踪用户是否回来并重新建立了一个过时的会话，则可以在会话跟踪表中添加一个"updated_at"列.因此，您将拥有两个时间戳列； created_at和updated_at，这将帮助您做出确定.

Also, if you wanted to track if a user came back and re-established a stale session, you could add a 'updated_at' column to your session tracking table. So then you would have two timestamp columns; created_at and updated_at, which would help you make this determination.

这篇关于使用Zend_Session :: rememberMe持久登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！