如何在mochiweb中设置自动注销时间?
我正在查看 mochiweb 的源代码,发现测试 cookie 过期时间的数字与我继承的服务器的行为完全不同。 mochiweb 在源代码中具有 111 和 86417(一天加 17 秒),但看起来它仅通过 cookie 过期和测试代码中的内容来实现其中任何一个。 (参见 mochiweb_cookies.erl)
我正在查看的服务器在大约 10-15 分钟内使用户超时,但我没有看到任何设置 cookie 值的代码,也没有看到通过 mochiweb 源的任何代码路径这甚至可以让我设置它。
有什么想法吗?
I'm looking at the source code for mochiweb and seeing numbers that test cookie expiration time that look nothing like the behavior of the server that I've inherited. mochiweb has 111 and 86417 (a day plus 17 seconds) in source, but it looks like it only does any of that through cookie expiration and that - in test code. (see mochiweb_cookies.erl)
The server that I'm looking at is timing out users in about 10-15 minutes, but nowhere do I see any code that is setting the cookie value, nor do I see any code path through the mochiweb source that would even allow me to set it.
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这里确实有两个问题:“我的应用程序如何进行会话过期?”和“如何使用
mochiweb_cookies设置 cookie?”在没有更多信息的情况下,只能合理回答第二个问题。mochiweb_cookies:cookie/3 返回一个
{"Set-Cookie", "headervalue"}对,该对适合作为mochiweb_request:respond 的和ResponseHeaders参数中的值mochiweb_request:ok。当然,可以在不使用 mochiweb_cookies 模块的情况下在 mochiweb 中设置 cookie,毕竟它们只是标头。您的应用程序可能通过手工制作标头来设置 cookie,或者同一域下托管的代理或其他应用程序服务可能会设置 cookie。
话虽这么说,如果可能的话,您应该避免依赖 cookie 过期来注销用户。 max-age 实际上只是提示浏览器在该时间过后停止发送 cookie。浏览器或攻击者总是可能行为不当并无限期地发送 cookie。
There are really two questions here: "How is my application doing session expiration?" and "How do I set a cookie with
mochiweb_cookies?" Only the second one can be reasonably answered without further information.mochiweb_cookies:cookie/3 returns a
{"Set-Cookie", "headervalue"}pair which is appropriate as a value in theResponseHeadersarguments ofmochiweb_request:respondandmochiweb_request:ok.It is of course possible to set cookies in mochiweb without using the
mochiweb_cookiesmodule, they're just headers after all. Your application may be setting the cookie by handcrafting the header, or a proxy or another application service hosted under the same domain may be setting the cookie.That being said, if at all possible you should avoid relying on cookie expiration to log out users. The max-age is really just a hint to the browser to stop sending the cookie after that time has passed. A browser or an attacker can always misbehave and send the cookie indefinitely.