如何将持久登录cookie与并行AJAX请求结合在一起? [英] How to combine a persistent login cookie with parallel AJAX requests?

问题描述

我已经针对记住我"选项实施了改进的持久登录Cookie最佳做法.

I've implemented the Improved Persistent Login Cookie Best Practice for a "remember me" option.

当请求按顺序进行时(传统页面加载)，这可以很好地工作.在这种情况下，您可以确保下一个请求将具有与服务器最后发送的令牌相同的系列标识符和令牌.

This works fine when requests are in sequence (traditional page loading). In this case you are sure that the next request will have the same series identifier and the token that was last sent by the server.

但是对于AJAX请求，如果同一浏览器同时发出多个请求，则第一个请求将导致生成新的令牌号.但是其他请求将没有此新生成的令牌号，我们会将其视为盗窃，因此我们将拒绝访问.

But in the case of AJAX requests, where multiple requests are coming in parallel from the same browser, the first request will result in the generation of a new token number. But the other requests will not have this newly generated token number and they'll we denied access considering it as a theft.

我们如何解决这个问题?

How do we get around this problem?

推荐答案

基于上述Drupal线程(

Based on the proposed solution on the aforementioned Drupal thread (https://www.drupal.org/node/327263#comment-3428038), I'm wondering if we cannot have a simpler algorithm.

为什么不将旧的"替换令牌存储在短暂的缓存表中，为什么不使用当前用户会话?

Instead of storing "old" replaced tokens in a short lived caching table, why not use the current users session?

1. User logs in with PL cookie
If series & token are in PL table:
  2. User session is populated with the last valid token
  3. new token is given to client
  4. user is logged in
If series key is in PL table, but token is not:
  2. check if current user session still holds the latest replaced token
  If found:
    3. user is logged in.  No new token is provided since one was generated in the first request.
  If not found:
    3. Assume keys are stolen - series is destroyed

但是，当会话状态没有正确复制到所有节点时，该算法将无法在负载平衡的情况下使用！

This algorithm won't work in load balanced scenarios though, when the session state is not properly replicated to all nodes though!

这篇关于如何将持久登录cookie与并行AJAX请求结合在一起?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！