問題描述
我正在使用 Zend_Session 來管理我的用戶會(huì)話,并且我希望在我的應(yīng)用程序中實(shí)現(xiàn)記住我"選項(xiàng),以使用戶保持登錄狀態(tài) 2 周左右.
I'm using Zend_Session to manage my user sessions, and I was looking to implement a "Remember Me" option in my application to keep users logged in for 2 weeks or so.
我注意到 Zend_Session 已經(jīng)有一個(gè)名為 Zend_Session::rememberMe 的內(nèi)置函數(shù),但是我不確定該函數(shù)邏輯是否正確使用作為持久登錄.
I've noticed that Zend_Session already has a built-in function called Zend_Session::rememberMe, however I'm not sure if that function logic is correct to use as a persisted login.
本質(zhì)上,rememberMe 功能只是延長(zhǎng)活動(dòng)會(huì)話的到期日期,這意味著如果用戶使用記住我選項(xiàng),他將在活動(dòng)會(huì)話中保持登錄狀態(tài) 2 周.
Essentially, the rememberMe function just extend the active session expiration date, which means if the user use the remember me option, he'll stayed logged in for 2 weeks with an active session.
這帶來了兩個(gè)主要問題.
This brings up 2 major issues.
- 我將會(huì)話存儲(chǔ)在數(shù)據(jù)庫(kù)中,這意味著所有這些非活動(dòng)用戶都在我的會(huì)話表中存儲(chǔ)了 2 周.我有超過 5 萬個(gè)非活動(dòng)會(huì)話,這影響了應(yīng)用程序的性能.
- 我想知道用戶是否在 24 小時(shí)不活動(dòng)后回到網(wǎng)站,并重新驗(yàn)證他的信息.由于他的會(huì)話保持開放,我無法確定他是在 1 小時(shí)還是 1 周后回來,因?yàn)樗幕顒?dòng)會(huì)話 ID 相同.
我讀過,如果我想實(shí)現(xiàn)記住我的功能,我不應(yīng)該為此使用會(huì)話 cookie,我應(yīng)該創(chuàng)建另一個(gè)登錄 cookie"來記住散列的 user_id 和令牌.這是完整的解釋:什么是實(shí)現(xiàn)記住我"的最佳方式用于網(wǎng)站?
I've read that if I want to implement a remember me feature, I shouldn't use the session cookie for that, and I should create another "login cookie" to remember a hashed user_id and a token. here's the complete explanation: What is the best way to implement "remember me" for a website?
那么為什么zend框架提供這樣的功能,如果使用它會(huì)產(chǎn)生性能和安全問題?
So why does zend framework offers such a function, if using it can create performance and security issues?
推薦答案
+1 指出 Zend 的記住我"功能方法背后的主要缺陷.有些人不明白,無論會(huì)話處理程序是基于文件還是基于數(shù)據(jù)庫(kù),當(dāng)他們嘗試延長(zhǎng)會(huì)話生命周期時(shí)都會(huì)受到懲罰.允許陳舊的會(huì)話在合理的時(shí)間范圍內(nèi)持續(xù)存在是一個(gè)薄弱的解決方案,您最好實(shí)施您提供的鏈接中概述的自定義 cookie 解決方案.
+1 for noting the major flaw behind Zend's approach to the 'remember me' functionality. Some people don't understand there is a penalty to be had when they attempt to extend the session lifetime, regardless of the session handler being file or db based. Allowing stale sessions to persist beyond a reasonable time-frame is a weak solution and you are better off implementing a custom cookie solution outlined by the link you provided.
直接回答您的問題;誰知道.也許他們沒有考慮到許多用戶選擇數(shù)據(jù)庫(kù)會(huì)話處理的事實(shí),并且認(rèn)為在文件系統(tǒng)上堆積陳舊的會(huì)話 cookie 對(duì)性能沒有直接影響.
The direct answer to your question; who knows. Maybe they didn't consider the fact that many users opt for database session handling, and figured piling up stale session cookies on the filesystem had no direct impact on performance.
此外,如果您想跟蹤用戶是否回來并重新建立過時(shí)的會(huì)話,您可以在會(huì)話跟蹤表中添加一個(gè)updated_at"列.那么你會(huì)有兩個(gè)時(shí)間戳列;created_at 和 updated_at,這將幫助您做出此決定.
Also, if you wanted to track if a user came back and re-established a stale session, you could add a 'updated_at' column to your session tracking table. So then you would have two timestamp columns; created_at and updated_at, which would help you make this determination.
這篇關(guān)于使用 Zend_Session::rememberMe 持久登錄的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!