Codeigniter - 会话期满和“记住我”特征 [英] Codeigniter - Session expiration and "remember me" feature

问题描述

我在Codeigniter建立一个记住我的功能，通常我看到库/项目设置cookie的用户与一个令牌，这个令牌保存在数据库，并在每次用户访问网站进行比较。

在Codeigniter我们可以设置会话过期时间，这使我尝试不同的方法，这是我做的：

• 我将config中的session_expiration设置为0（无限会话）


• 如果用户不选中记住我

所以我的登录代码看起来像这样：

  if（！$ this-> input-> post（'remember_me'））{
 $ this-> session-> sess_expiration = 7200; 
 $ this-> session-> sess_expire_on_close = TRUE; 
} 
 
 $ this-> session-> set_userdata（$ session_data）; 
  

和我的配置文件：

  $ config ['sess_expiration'] = 0; 
 $ config ['sess_expire_on_close'] = FALSE; 
  

我没有看到有人在项目上使用这个解决方案，我已经测试过了，工作很好。

SO，对于我的问题，你会说这是一个安全的做法吗？任何安全危险我应该知道吗？此解决方案的任何输入与cookie +数据库令牌都很好。

解决方案

我发现这个问题的最简单的解决方案是只需通过这种方式修改Codeigniter创建的cookie：

  $ this-> session-> set_userdata ，$ user）; //已经创建了一个cookie 
 if（$ this-> input-> post（'remember_me'））
 {
 $ this-> load-&曲奇饼'）; 
 $ cookie = $ this-> input-> cookie（'ci_session'）; //我们得到cookie 
 $ this-> input-> set_cookie（'ci_session'，$ cookie，'35580000'）; //并添加一年到它的到期
} 
  

I'm building a "Remember Me" feature in Codeigniter, normally I see libraries/projects setting a cookie on the user with a token, this token gets saved in the database and is compared each time the user accesses the website.

In Codeigniter we can set the session expiration time though, this lead me to try a different approach, this is what I did:

• I set the session_expiration in config to 0 (infinite session)
• If the user leaves "Remember me" unchecked, I set a 2 hour time in the session and session destroy on window close.

So my login code looks like this:

if (!$this->input->post('remember_me')) {
                $this->session->sess_expiration = 7200;
                $this->session->sess_expire_on_close = TRUE;
            }

            $this->session->set_userdata($session_data);

And my config file:

$config['sess_expiration']      = 0;
$config['sess_expire_on_close'] = FALSE;

I don't see people using this solution on projects, I have tested this out and it seems to work fine though.

SO, for my question, would you say this a safe practice to do? Any security dangers I should know about? Any input on this solution vs cookie+database token would be great.

解决方案

The simpliest solution that I have found for this problem is to just modify the cookie created by Codeigniter by this way:

        $this->session->set_userdata('user', $user); // a cookie has been created
        if($this->input->post('remember_me'))
        {
            $this->load->helper('cookie');
            $cookie = $this->input->cookie('ci_session'); // we get the cookie
            $this->input->set_cookie('ci_session', $cookie, '35580000'); // and add one year to it's expiration
        }

这篇关于Codeigniter - 会话期满和“记住我”特征的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！