使用 Zend_Session::rememberMe 持久登录 [英] persisted login with Zend_Session::rememberMe
问题描述
我正在使用 Zend_Session 来管理我的用户会话,并且我希望在我的应用程序中实现记住我"选项,以使用户保持登录状态 2 周左右.
I'm using Zend_Session to manage my user sessions, and I was looking to implement a "Remember Me" option in my application to keep users logged in for 2 weeks or so.
我注意到 Zend_Session 已经有一个名为 Zend_Session::rememberMe 的内置函数,但是我不确定该函数逻辑是否正确使用作为持久登录.
I've noticed that Zend_Session already has a built-in function called Zend_Session::rememberMe, however I'm not sure if that function logic is correct to use as a persisted login.
本质上,rememberMe 功能只是延长活动会话的到期日期,这意味着如果用户使用记住我选项,他将在活动会话中保持登录状态 2 周.
Essentially, the rememberMe function just extend the active session expiration date, which means if the user use the remember me option, he'll stayed logged in for 2 weeks with an active session.
这带来了两个主要问题.
This brings up 2 major issues.
- 我将会话存储在数据库中,这意味着所有这些非活动用户都在我的会话表中存储了 2 周.我有超过 5 万个非活动会话,这影响了应用程序的性能.
- 我想知道用户是否在 24 小时不活动后回到网站,并重新验证他的信息.由于他的会话保持开放,我无法确定他是在 1 小时还是 1 周后回来,因为他的活动会话 ID 相同.
我读过,如果我想实现记住我的功能,我不应该为此使用会话 cookie,我应该创建另一个登录 cookie"来记住散列的 user_id 和令牌.这是完整的解释:什么是实现记住我"的最佳方式用于网站?
I've read that if I want to implement a remember me feature, I shouldn't use the session cookie for that, and I should create another "login cookie" to remember a hashed user_id and a token. here's the complete explanation: What is the best way to implement "remember me" for a website?
那么为什么zend框架提供这样的功能,如果使用它会产生性能和安全问题?
So why does zend framework offers such a function, if using it can create performance and security issues?
推荐答案
+1 指出 Zend 的记住我"功能方法背后的主要缺陷.有些人不明白,无论会话处理程序是基于文件还是基于数据库,当他们尝试延长会话生命周期时都会受到惩罚.允许陈旧的会话在合理的时间范围内持续存在是一个薄弱的解决方案,您最好实施您提供的链接中概述的自定义 cookie 解决方案.
+1 for noting the major flaw behind Zend's approach to the 'remember me' functionality. Some people don't understand there is a penalty to be had when they attempt to extend the session lifetime, regardless of the session handler being file or db based. Allowing stale sessions to persist beyond a reasonable time-frame is a weak solution and you are better off implementing a custom cookie solution outlined by the link you provided.
直接回答您的问题;谁知道.也许他们没有考虑到许多用户选择数据库会话处理的事实,并且认为在文件系统上堆积陈旧的会话 cookie 对性能没有直接影响.
The direct answer to your question; who knows. Maybe they didn't consider the fact that many users opt for database session handling, and figured piling up stale session cookies on the filesystem had no direct impact on performance.
此外,如果您想跟踪用户是否回来并重新建立过时的会话,您可以在会话跟踪表中添加一个updated_at"列.那么你会有两个时间戳列;created_at 和 updated_at,这将帮助您做出此决定.
Also, if you wanted to track if a user came back and re-established a stale session, you could add a 'updated_at' column to your session tracking table. So then you would have two timestamp columns; created_at and updated_at, which would help you make this determination.
这篇关于使用 Zend_Session::rememberMe 持久登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
