Zend Framework 不活动后自动注销

2021-12-29 00:00:00 session php zend-framework

我正在开发一个包含多个子应用程序的应用程序,我想在 30 分钟不活动后实现自动注销.我有一个使用 Bootstrap.php 映射到自定义/login 和/logout 路由的登录和注销操作的 AuthController 以及如下所示的前端控制器插件:

I'm working on an application that houses several sub applications and I'd like to implement an auto logout after 30 minutes of inactivity. I have an AuthController with login and logout actions mapped to custom /login and /logout routes using the Bootstrap.php as well as a front controller plugin that looks like this:

class Plugin_SessionTrack extends Zend_Controller_Plugin_Abstract {

    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {  

        $employeeSession = new Zend_Session_Namespace('employeeSession');
        $employeeSession->setExpirationSeconds(10);

    }
}

我是 PHP 和 Zend 的新手,10 秒后会话到底发生了什么?我将它设置为低以进行测试.我希望发生的是,如果通过前端控制器插件的最后一个请求的时间大于 30 分钟前,则销毁会话并注销用户并将其重定向到/login.

I'm new to PHP and Zend, what exactly is happening to the session after 10 seconds? I have it set low for testing. What I'd like to have happen is if the time of the last request through the front controller plugin was greater than 30 minutes ago, destroy the session and log the user out and redirect them to /login.

我可以清楚地看到我没有跟踪上次请求的时间,但我希望每次用户通过这个 preDispatch 方法收到请求时都会刷新 setExpirationSeconds.

I can see obviously that I'm not tracking the time of the last request but my hope was that the setExpirationSeconds would be refreshed each time the user has a request come through this preDispatch method.

也许需要使用 cookie?我不需要实际启动注销操作,它可以在用户下次发出请求时处理,如果他们在过去半小时内没有做任何事情,会话就会被销毁并且他们被注销,这意味着如果我走开 45 分钟,我的屏幕看起来仍然相同,但是如果我单击链接或尝试提交我已创建的表单,它会将我发送到/login.稍后我可以担心某种类型的 JS 倒计时警告.

Maybe a cookie needs used? I don't need to actually initiate a logout action, it can just be handled the next time the user makes a request, if they've not done anything in the last half hour the session is destroyed and they're logged out, meaning if I walk away for 45 minutes my screen still looks the same but if I click a link or try and submit a form I had up it sends me to /login. I can worry about some type of JS countdown warning later.

如果有人想看,这是我的引导程序:

Here's my bootstrap if anyone wants to see it:

class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
{
    /**
     * Custom routes:
     * 
     * /login
     * /logout
     */
    protected function _initRoutes()
    {

        $router = Zend_Controller_Front::getInstance()->getRouter();

        $loginRoute = new Zend_Controller_Router_Route('login', array('controller' => 'auth', 'action' => 'login'));

        $logoutRoute = new Zend_Controller_Router_Route('logout', array('controller' => 'auth', 'action' => 'logout'));

        $routesArray = array('login' => $loginRoute, 'logout' => $logoutRoute);

        $router->addRoutes($routesArray);

    }

    protected function _initPlugins()
    {

        $frontController = Zend_Controller_Front::getInstance();
        $frontController->registerPlugin(new Plugin_SessionTrack());

    }
}

推荐答案

当您调用 Zend_Session::setExpirationSeconds(10) 时,会话本身实际上在 10 秒后没有发生任何事情.

When you call Zend_Session::setExpirationSeconds(10), nothing is actually happening to the session after 10 seconds time per se.

这个调用导致 Zend_Session 存储一个内部值,该值标记该会话命名空间从调用时间开始在 time() + $seconds 到期.每次 Zend_Session 开始时,它都会检查是否有任何会话数据被标记为过期,如果是,则继续检查是否过期时间或跳数已经过去.如果是这种情况,则有问题的会话数据在初始化时未设置,因此您的应用程序无法再访问.

This call causes Zend_Session to store an internal value marking that session namespace for expiration at time() + $seconds from the time the call is made. Each time a Zend_Session starts, it checks to see if any session data is marked for expiration, and if so proceeds to check to see if the expiration time or hop count has passed. If that is the case, then the session data in question is unset at initialization, and is therefore no longer accessible by your application.

如果您在每次请求开始时进行此调用,它应该会在每次加载页面时继续将会话的生命周期延长数秒.

If you make this call at the beginning of every request, it should continue to prolong the life of the session by that many seconds on each page load.

请记住,如果 php.ini 中的会话设置被设置为在 15 分钟后过期,将命名空间设置为在 60 分钟后过期不会覆盖 PHP 的 15 分钟会话生存期.您可以在 application.ini 文件中对 PHP 的会话指令进行此类调整.

Keep in mind that if the session settings in php.ini are set to expire the session after 15 minutes, setting a namespace to expire after 60 minutes will not override PHP's session lifetime of 15 minutes. You can make such adjustments to PHP's session directives in your application.ini file.

在命名空间上设置过期时间还有一个好处,那就是自动删除一些会话数据,而不必破坏整个会话.

Setting an expiration on the namespace also has the advantage of automatically removing some session data without having to destroy the entire session.

我不知道您的应用程序的具体情况,但您可以使用该插件来检查它们是否已注销并将请求转发到您的登录页面.您可以在创建命名空间后检查有效登录,但您还需要确保当前请求不是登录尝试.或者,您可以推迟检查插件中的有效登录信息,然后让您的 ACL 稍后在控制器级别进行处理.

I don't know the specifics of your application, but you could use the plugin to check and see if they are logged out and forward the request to your login page. You could check for a valid login after creating the namespace, but you also would want to make sure that the current request wasn't a login attempt. Or you could just defer checking for valid login in the plugin and let your ACL handle that later at the controller level.

您可能还想查看 Zend_Auth,您可以使用它来持久化会话中的身份.身份可以是任何东西,从指示他们是否已登录的简单布尔值到实现 Zend_Acl_Role_Interface 的完整用户对象.Zend Auth 也很容易扩展,因此您可以通过为每个实例使用不同的命名空间来同时激活多个 Zend_Auth 会话,并且可以让您的自定义身份验证类为不同的会话命名空间设置不同的时间限制.

You may also want to look into Zend_Auth which you can use to persist an identity in the session. The identity can be anything from a simple boolean value indicating if they are logged in, to a full blown user object that implements Zend_Acl_Role_Interface. Zend Auth is also easily extended so you can have multiple Zend_Auth sessions active at the same time by using different namespaces for each instance, and could have your custom auth class set different time limits on different session namespaces.

我希望这有助于回答您的问题,如果您对我所说的有任何疑问,请随时发表评论.

I hope that helps answer your question, feel free to comment if you have questions on what I said.

我测试了以下代码,它在设定的时间后成功使我的 Zend_Auth 身份过期.我在 60 秒内对其进行了低测试,在等待 60 秒加载页面后,我不再拥有身份并被注销".您可以将此添加到您的会话跟踪插件中.

I tested the following code and it successfully expired my Zend_Auth identity after the set time. I tested it low with 60 seconds and after waiting 60 seconds to load the page, I no longer had and identity and was "logged out". You could add this to your session track plugin.

<?php
$auth = Zend_Auth::getInstance();

if ($auth->hasIdentity()) { // user is logged in
    // get an instance of Zend_Session_Namespace used by Zend_Auth
    $authns = new Zend_Session_Namespace($auth->getStorage()->getNamespace());

    // set an expiration on the Zend_Auth namespace where identity is held
    $authns->setExpirationSeconds(60 * 30);  // expire auth storage after 30 min
}

相关文章