有没有办法使用户的Cookie无效? [英] Is there a way to invalidate user's cookie?
问题描述
情景:
- 用户来到我的网站(我可以得到我想要的任何数据);
- 用户离开页面;
- 经过一段时间从另一个回调服务器带有用户ID。在这一点上,我需要使用户会话和cookie无效。
与会话一样简单:
session_id($ user ['session_id']);
session_destroy();
如何使用Cookie实现相同?
请参阅这篇文章中的评论以了解更多细节及其与Facebook的关系。
简单的解决方案是替换位其中 PHP-SDK 正在从cookies存储有关用户的信息到会话,但去包装文件总是一个坏主意。
编辑
您的其他评论表明您并不了解什么如果您已经了解我要解释的内容,那么我应该提前道歉。
虽然我怀疑你需要一些Facebook特定的帮助来回答或解决您的实际问题,我想指出一个cookie实际上是什么:
HTTP / 1.1 200 OK
Content-type:text / html
Set-Cookie:name = value
Set-Cookie:name2 = value2; Expires = Wed,09 Jun 2021 10:18:14 GMT
http://en.wikipedia.org/wiki/HTTP_cookie#Setting_a_cookie
这是在客户端和服务器(请求者/响应者)之间传输Cookie的方式。您可以使用Firebug或Chrome控制台中的网络选项卡,了解请求的形式和数据的发送方式。它们不是自然地系统地记录,本身不是有限的事物,而是包含在请求和响应的分组中的标题的一部分,类似于电子邮件头中的CC / BCC字段:伪简单但是描述性。
为了实现 Cookie的效果,在消费之前验证Cookie,您需要确定如何将参考ID附加到cookie,或交替地)使用计算的代码检测特定的cookie,当在请求中提交其他数据时必须存在该cookie。另一种方法在 Jan的答案中描述。
Cookie虽然,通常不是这样处理的。他们只是运输,意味着结束,填补了GET和POST之间的空白。
您不是将cookie的数据扩展到正在使用的用户的权限无效,它结合请求。
一,你如何知道它来自不同的服务器?二,如果您可以确定请求是不合法的,无论您的服务器上的cookie的数据引用是否授予其代表用户执行操作的权限,都需要删除,即,任何会话被指示为结束/销毁或其他任何内容其他。
但是,Cookie只是该数据的传输。您必须能够拦截,检测和阻止其持有者提供的任何访问权,才能使其无用。
如果您要询问具体的内容,请提供更多信息。但基本上看来,似乎所有您需要做的是有一种方法来忽略包含您已被标识为无效或无效的数据或提供不正当访问(冒名顶替者)的Cookie。
Is there a way to invalidate user's cookie?
Scenario:
- User comes to my website (I can get any data I want);
- User leaves the pages;
- After some time a callback from another server comes with user ID. At this point, I need to invalidate user session and cookies.
With sessions, this was as simple as:
session_id($user['session_id']);
session_destroy();
How to achieve the same with cookies?
Please see comments under this post for more details and how it is related with Facebook.
The simple solution would be to replace the bit where PHP-SDK is storing information about the user from cookies to session, but going to the package file is always a bad idea.
EDIT
Your other comments suggest you're not really aware of what a cookie literally is, so I apologize in advance if you already understand what I'm about to explain.
Although I suspect you need some Facebook-specific help in answering or resolving your actual concern, I'd like to point out what a cookie actually is:
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value
Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT
http://en.wikipedia.org/wiki/HTTP_cookie#Setting_a_cookie
This is how cookies are transmitted between the client and server (requester/responder). You can use the Net tab in Firebug or Chrome Console to see for yourself how requests are made and what data is sent back and forth. They are not by nature "logged" systematically, are not finite "things" per se, but simply part of a header which is included in the packet of the request and response, something like a CC/BCC field in an email header: pseudo-transient but descriptive.
To accomplish an effect of Cookies are validated before consuming, you would need to determine how to attach a reference ID to the cookie, or (alternately) detect a specific cookie with a calculated code that must be present when the other data is submitted in a request. Another approach is described in Jan's answer.
Cookies, though, are not typically handled this way. They're just transports, means to an end, filling a void between GET and POST.
You're not "invalidating a cookie" so much as invalidating the permissions that cookie's data is extending to whoever is using it in conjunction with requests.
One, how do you know it comes from a different server? Two, if you can determine a request is not legitimate, whatever that cookie's data references on your server to give it permission to perform actions on behalf of a user needs to be removed, ie, whatever session is indicated is ended/destroyed, or whatever else.
The cookie, though, is only a transport for that data. You have to be able to intercept, detect, and block whatever access it provides it's holder with to render it "useless".
If you're asking something specific, please provide more information. But essentially it seems as if all you need to do is have a way to ignore cookies which contain data that you've identified as not valid or authentic or provides improper access (to imposters).
这篇关于有没有办法使用户的Cookie无效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
