通过id检查会话是否存在,而不更新会话的生命周期
我在 RIA 工作。我们使用 Memcached 来存储会话,并且我已经安装了 http://pecl.php.net/package/ memcache 和我的 PHP 会话处理程序如下所示:
$session_save_path = "tcp://$host:$port?persistent=1&weight=2&timeout=2&retry_interval=10, ,tcp://$host:$port ";
ini_set('session.save_handler', 'memcache');
ini_set('session.save_path', $session_save_path);
会话超时设置为 30 分钟。在我的 RIA 中,我想通过 AJAX 定期调用服务器端脚本来检查访问者的会话是否仍然存在。如果 ajax 调用返回 false,我会关闭屏幕并显示一个漂亮的重新日志框以继续会话。
现在问题出在服务器端脚本上。我需要确定会话是否存在而不延长会话的生命周期(如果存在)。
我并不完全了解会话处理程序的工作原理,但我很确定我是否会这样做:
<?
session_start();
if($_SESSION['loggedin'] == "yes")
echo "true";
else
echo "false";
?>
我很确定这会更新会话的生命周期(在服务器端,但也在客户端通过发送新的 cookie 返回给客户端)。并且会话将无限期地存在。
我考虑过但排除了一些选项:
- 不进行任何服务器端调用,但在客户端上使用 JavaScript 计时器(例如,30 分钟后到期)。当用户在多个窗口中打开 RIA 时,这将不起作用
- 尝试破解 session_start() 以防止它将新的 cookie 发送回客户端。这可能适用于客户端,但过期时间仍会在内部 session_handling 中刷新。
我想要一些想法,蒂亚
I'm working in a RIA. We use Memcached to store sessions, and I've installed http://pecl.php.net/package/memcache and my PHP session handler looks like this:
$session_save_path = "tcp://$host:$port?persistent=1&weight=2&timeout=2&retry_interval=10, ,tcp://$host:$port ";
ini_set('session.save_handler', 'memcache');
ini_set('session.save_path', $session_save_path);
The session timeout is set to 30min. In my RIA I want periodicly call a serverside script via AJAX to check if the visitor's session is still alive. If the ajax calls returns false I blackout the screen and show a pretty relogbox to continue the session.
Now the problem is with the serverside script. I need to determine if the session exists without extending the lifetime of the session if it does exists.
I'm not completely knowladble about the workings of the session handler, but i'm pretty sure if i would do this:
<?
session_start();
if($_SESSION['loggedin'] == "yes")
echo "true";
else
echo "false";
?>
I'm pretty sure this would renew the session's lifetime (on the serverside, but also on the clientside by sending a new cookie back to the client). And the session would exist indefinetly.
Some options i considered, but excluded:
- Don't do any serverside calls, but use a javascript timer on the client (expires after 30min for example). This won't work when the user has the RIA open in multiple windows
- Try to hack around the session_start() to prevent it from sending a new fresh cookie back to the client. This might work for the clientside, but the expirationtime would still be refreshed at the internal session_handling.
I'd like some idea's, T.i.a.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您不必将会话超时与授权超时等同起来。我建议在会话中存储一个额外的变量,即用户登录时的时间戳。然后,如果会话不存在或时间戳太旧,您可以认为用户已注销。作为副作用,它还会为您提供额外的精度,因为会话不能保证在您设置它时准确过期,但可能会停留一段时间,直到垃圾收集运行。
事实上,我建议您将此功能包装在一个简单的类中,并执行以下操作:
等等
You don't have to equate the session timeout with the authorization timeout. I would suggest storing an extra variable in the session, a timestamp of when the user logged in. Then you can consider that the user logged out if the session doesn't exist or the timestamp is too old. As a side effect it will also give you extra precision because the session is not guaranteed to expire exactly when you've set it, but may linger around for a while longer until the garbage collection runs.
As a matter of fact I'd suggest you wrap this functionality in a simple class and do something like this:
etc, etc
不要仅使用 Javascript 来验证您的用户。您只是要求一些严重的安全问题。
您使用 Ajax 检查 $_SESSION['loggedin'] 的第一种方法将起作用 - 如果他们之前的会话已过期,它将在继续之前生成一个新的会话 id,因此 $_SESSION['loggedin'] 将不会被设置。
Don't validate your users with Javascript alone. You're just asking for some serious security issues.
Your first method of checking with Ajax for $_SESSION['loggedin'] will work - if their previous session has expired, it will generate a new session id before continuing and so $_SESSION['loggedin'] will not be set.