如何使用CakePHP 3将用户限制为一个会话？ [英] How to limit users to one session with CakePHP 3?

问题描述

我的auth工作正常。用户可以登录和注销，没问题。关键是，如果用户共享一个登录名，则他们都可以与一个用户同时登录。不好。

I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.

我需要让CakePHP知道用户何时登录，我认为这是一个开始使用的进程：

I need to have CakePHP know when a user is logged in, which I assume is a process started using:

'Session' => [
    'defaults' => 'database'
]

根据会议图书页面。

然后我迷路了。除非我没有错过它，否则没有提到将用户限制为每个活动会话。

It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?

为清楚起见：

从数据库&中删除的所有会话浏览器中删除的所有cookie =在访问/ users / login页面时均未设置任何内容（顺便说一下，这已经按照教程进行了设置-没什么花哨的）。

All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).

登录=在db中设置的会话，其ID对应于浏览器中的cookie。完全符合您的期望。

Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.

注销（然后重定向回登录）=删除旧会话，然后用数据库和cookie中的另一个替换。不同的ID。因此，有些事情是要提取过期的cookie并刷新它。嗯。

Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.

cookie中保存的信息只是会话ID。在数据库中，它只是：

The information held in the cookie is just the session id. In the DB it's simply:

会话ID |一滴|到期时间

Session id | a blob | expiry time

推荐答案

我假设您保存了个用户和<$ c $数据库中的c>会话（默认情况下在cakePHP中，其命名为会话）。

I assume you save users and sessions in a database (by default in cakePHP it is named sessions).

添加一个 active_session 字段，在登录时对其进行更新，并在请求时对其进行检查，以确保当前的用户会话ID与数据库中存储的最后一个ID匹配。

Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.

在登录操作上执行>

On Login action do:

UPDATE `users` SET `active_session`='$session_id';

当用户进入需要登录的页面时，将搜索该值：

When user goes to a page that requires login, you search that value:

SELECT * FROM `users` WHERE `active_session` = '$session_id';

如果用户在其他地方签名，则先前的会话密钥将被覆盖，并且上面的SELECT返回一个 empty 结果集。

If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.

可以在更新之前清除旧会话令牌，因此这种方式将破坏每个用户的旧会话

It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.

请注意，如果您使用的是 AuthComponent ，它可能会自动轮换会话，有关更多信息，请参见 CakePHP手册的相应部分。

Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.

我肯定会去 AuthComponent -方式，并且不会在CakePHP中重新发明轮子。

I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.

这篇关于如何使用CakePHP 3将用户限制为一个会话？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！