当将来设置客户端时钟时，PHP会话立即过期 [英] PHP session expires immediately when client's clock is set in the future

问题描述

我已经开发了这个PHP Web应用程序，现在已经运行了几个月。突然有一个用户抱怨他能够登录，但是一旦他单击任何按钮，会话就会终止！在不同的浏览器上发生了相同的问题。

I have developed this PHP web application which is now running for some months. Suddenly one of the users complained that he was able to login, but the session was terminated as soon as he clicked on any button! The same problem happened on different browsers.

经过一些测试，我意识到每次用户单击任何按钮时都会创建一个全新的会话ID，这可能是因为原始会话

After some tests I realized that a brand new session ID was created every time the user clicked on any button, probably because the original session was expired.

无论出于什么原因，我都瞥了一眼用户的计算机时钟，这真是令人惊讶！他的时钟是未来3个月！我不知道这种事情是否与故障有关，但我确实确定了时间。仍然没有用。我删除了所有cookie。依然没有。所以我重新启动了浏览器-然后它又重新开始工作！

For whatever reason I took a glance at the user's computer clock and... surprise! His clock was 3 months in the future! I didn't know if such thing could have any relation to the failure, but I did fix the clock. Still it didn't work. I erased all cookies. Still nothing. So I restarted the browser - and then it started working again!

与该问题有关的最新信息是Shimon Amit对此问题。好，现在我知道时钟配置错误是原因。问题是...我无法控制每个客户的计算机时钟。其中一些将来可能会设置计算机时钟。

The closest information I got about this issue was Shimon Amit's answer to this question. Good, now I know that the clock "misconfiguration" is the cause. The problem is... I cannot keep every customer's computer clock under control. Some of them may have their computer clocks set in the future.

我的问题：对此有什么解决方案吗？有什么把戏吗我不希望客户遇到这样的错误，因为他们可能会发现它 lam脚并破坏了他们对应用程序的信任，即使这并不是我的错（在某种意义上）。

My question: is there any solution for this? Any trick? I don't want customers to face such errors as they may find it "lame" and break their trust on the application, even though it's not really my fault (in a sense).

推荐答案

您可以将会话超时延长到以后的日期。也许您可以使用不会过期的cookie（会话与客户端的cookie有关）。否则，您的客户端的浏览器将按照设计的目的进行操作。

You can extend your session timeout to a later date. Perhaps you can use cookies that don't expire (sessions are related to cookies on the client side) Otherwise, your client's browser is just doing what it's designed to do.

编辑：Javascript选项

这是一个完全hack，但是您可以使用javascript来获取客户端计算机上的当前时间并将其发回到服务器，然后将会话cookie的超时时间调整为在此之后三个月到期。参见 http://www.w3schools.com/jsref/jsref_gettime.asp

This is a total hack, but you COULD use javascript to get the current time on the client machine and send it back to the server, then adjust the timeout on your session cookie to expire three months after that. See http://www.w3schools.com/jsref/jsref_gettime.asp

一旦获取了客户端时间，就可以使用session_cache_expire（）重置会话到期时间。 http://www.php.net/manual/zh/function .session-cache-expire.php

Once you have retrieved the client time, you can reset the session expiration using session_cache_expire(). http://www.php.net/manual/en/function.session-cache-expire.php

编辑：100％服务器端选项

我想到的另一个选项是设置一个没有过期的会话cookie，但是跟踪在服务器上设置cookie的时间，例如在MySQL表中。您还需要跟踪上一个活动。每当登录用户发出请求时，您都可以检查其会话的开始时间和上次活动。如果当前时间大于上述任何一个的可接受超时，则销毁会话服务器端，并将它们带回到登录页面。如果会话仍然可以，请更新与该用户关联的上一个活动，以便您可以比较下一个请求。不需要客户端代码。

Another option that I thought of would be to set a session cookie with no expiration, but track the time the cookie was set on the server, say in a MySQL table. You would also need to keep track of the last activity. Whenever a logged in user makes a request, you could check the start time of their session and their last activity. If the current time is greater than your acceptable timeout for either of these, then destroy the session server side and bring them back to the log in page. If the session is still ok, then update the last activity associated with that user so you can compare on the next request. No client side code necessary.

这篇关于当将来设置客户端时钟时，PHP会话立即过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！