有没有办法让用户的cookie失效?
有没有办法让用户的cookie失效?
场景:
- 用户访问我的网站(我可以获得任何我想要的数据);
- 用户离开页面;
- 一段时间后,来自另一台服务器的回调会附带用户 ID。此时,我需要使用户会话和cookie无效。
对于会话,这很简单:
session_id($user['session_id']);
session_destroy();
如何使用 cookie 实现相同的目的?
请参阅本文下面的评论,了解更多详细信息以及它与 Facebook 的关系。
简单的解决方案是替换 PHP-SDK 存储用户信息的位从cookies到session,但是去包文件总是一个坏主意。
Is there a way to invalidate user's cookie?
Scenario:
- User comes to my website (I can get any data I want);
- User leaves the pages;
- After some time a callback from another server comes with user ID. At this point, I need to invalidate user session and cookies.
With sessions, this was as simple as:
session_id($user['session_id']);
session_destroy();
How to achieve the same with cookies?
Please see comments under this post for more details and how it is related with Facebook.
The simple solution would be to replace the bit where PHP-SDK is storing information about the user from cookies to session, but going to the package file is always a bad idea.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
编辑
您的其他评论表明您并不真正了解 cookie 的字面意思,因此如果您已经理解我要解释的内容,我提前表示歉意。
虽然我怀疑您需要一些特定于 Facebook 的帮助来回答或解决您的实际问题,但我想指出 cookie 的实际含义:
http://en.wikipedia.org/wiki/HTTP_cookie#Setting_a_cookie
这是cookie在客户端和服务器之间传输的方式(请求者/响应者)。您可以使用 Firebug 或 Chrome 控制台中的“网络”选项卡来亲自查看如何发出请求以及来回发送哪些数据。它们本质上不是系统地“记录”的,本身不是有限的“事物”,而只是包含在请求和响应数据包中的标头的一部分,类似于电子邮件标头中的 CC/BCC 字段:伪- 短暂但具有描述性。
为了实现在使用之前验证 Cookie 的效果,您需要确定如何将参考 ID 附加到 cookie,或者(或者)使用计算代码检测特定 cookie,该代码在以下情况下必须存在其他数据在请求中提交。 Jan 的回答中描述了另一种方法。
不过,Cookie 通常不会以这种方式处理。它们只是传输,是达到目的的手段,填补 GET 和 POST 之间的空白。
您并不是“使 cookie 无效”,而是使 cookie 数据扩展到与请求结合使用的任何人的权限无效。
一,你怎么知道它来自不同的服务器?第二,如果您可以确定请求不合法,则需要删除您服务器上的任何 cookie 数据引用,以授予其代表用户执行操作的权限,即指示的任何会话已结束/销毁,或者其他什么别的。
不过,cookie 只是该数据的传输方式。你必须能够拦截、检测和阻止它为持有者提供的任何访问权限,使其“无用”。
如果您询问具体问题,请提供更多信息。但本质上,似乎您需要做的就是有一种方法来忽略包含您已识别为无效或真实的数据或提供不正确访问(冒名顶替者)的数据的 cookie。
EDIT
Your other comments suggest you're not really aware of what a cookie literally is, so I apologize in advance if you already understand what I'm about to explain.
Although I suspect you need some Facebook-specific help in answering or resolving your actual concern, I'd like to point out what a cookie actually is:
http://en.wikipedia.org/wiki/HTTP_cookie#Setting_a_cookie
This is how cookies are transmitted between the client and server (requester/responder). You can use the Net tab in Firebug or Chrome Console to see for yourself how requests are made and what data is sent back and forth. They are not by nature "logged" systematically, are not finite "things" per se, but simply part of a header which is included in the packet of the request and response, something like a CC/BCC field in an email header: pseudo-transient but descriptive.
To accomplish an effect of Cookies are validated before consuming, you would need to determine how to attach a reference ID to the cookie, or (alternately) detect a specific cookie with a calculated code that must be present when the other data is submitted in a request. Another approach is described in Jan's answer.
Cookies, though, are not typically handled this way. They're just transports, means to an end, filling a void between GET and POST.
You're not "invalidating a cookie" so much as invalidating the permissions that cookie's data is extending to whoever is using it in conjunction with requests.
One, how do you know it comes from a different server? Two, if you can determine a request is not legitimate, whatever that cookie's data references on your server to give it permission to perform actions on behalf of a user needs to be removed, ie, whatever session is indicated is ended/destroyed, or whatever else.
The cookie, though, is only a transport for that data. You have to be able to intercept, detect, and block whatever access it provides it's holder with to render it "useless".
If you're asking something specific, please provide more information. But essentially it seems as if all you need to do is have a way to ignore cookies which contain data that you've identified as not valid or authentic or provides improper access (to imposters).
您无法为未直接向服务器发出请求的用户设置(取消设置/无效)cookie。您将需要做更多的工作。
我会这样处理:
将您为用户设置的 cookie 存储在某处(db、redis,等等)。这样我们就能知道用户拥有哪些 cookie。然后,当出现无效请求时,将存储中该用户的 cookie 标记为已删除(或类似的操作)。然后,每次用户请求您的页面时,请检查他在您的存储中是否有任何已删除的 cookie。如果他破坏了他的会话并使他的 cookie 无效(例如将它们设置为过去)。
You can't set (unset/invalidate) a cookie for a user that is not making a request to your server directly. You will have to do some more work.
I would go this way about it:
Store which cookies have you set for a user somewhere (db, redis, whatever). This way wou will know which cookies user has. Then when a request to invalidate comes, mark cookies for that user in your storage as deleted (or something like that). Then every time a user requests your page check if he has any deleted cookies in your storage. If he has destroy his session and invalidate his cookies there (setting them in the past for instance).
Cookie 存在于客户端,在服务器端您无法对它执行任何操作。
但是,如果您的“一段时间后”意味着 cookie 应该在一段时间后过期,则您应该在设置 cookie 时设置过期时间。你不需要担心用户是否仍在他的页面上,因为如果他离开并在一段时间后再次访问,浏览器会为你处理。
例如,下面的代码显示了如何设置一个 1 小时后过期的 cookie。
Cookie lives in the client side, you can do nothing with it in the server side.
However if your "After some time" means the cookie should be expired after some time, you should set the expire time when you set the cookie. You don't need to worry about whether the user is still on his page or not, because if he leaves and access again after some time, the browser will deal it for you.
For example, the code below shows how to set an cookie which should be expired after 1 hour.