Laravel Sanctum和基于Cookie的会话安全
因此,我使用Laravel Sanctum建议的基于Cookie的身份验证的Laravel应用程序进行了一个水疗设备。
但是,我很难使用基于Cookie的会话来了解周围的安全性。从我可以看到的,如果我对Laravel应用程序进行身份验证,我会在存储客户端的cookie中收到会话。一切都很好,预期。
但是,如果然后请求一些数据,然后继续登录我的应用程序,然后在“网络”选项卡中以先前的请求发送数据请求,尽管以前尝试过使用Laravel进行了未经身份验证,但我还是返回数据。在我看来,Laravel并未使上一届会议无效。
采取以下方案:
- 发送访问 /sanctum /csrf-cookie
- 将帖子发送到 /auth /login to上面的cookie(和auth Creds)
- 发送get to /auth /auth /user用上述cookie(接收验证用户返回)
- 发送给 /auth to /auth /通过上述cookie
- 会话注销无效
- 发送给 /auth /user(使用first cookie,或在网络选项卡中重新发送第一个 /auth /user请求)
- ,我在尝试注销
我可以'可以'这是拉拉维尔(Laravel)允许这是一件事情的想法,所以我有些确信我在某个地方会丢失一步。
以下是我目前在注销控制器中所拥有的;我已经尝试过有或没有网络守护程序,有或没有会话无效的呼叫。是否有一种“正确”的方式来执行此操作,或者这只是基于Cookie的会话的工作方式;他们只是存储客户端吗?我应该能够再次请求数据并得到认证吗?
Auth::guard('web')->logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
So I have a SPA set up to authenticate with a Laravel application using Laravel Sanctum's suggested cookie-based authentication.
I'm having a bit of a hard time understanding the security surrounding using the cookie-based sessions however. From what I can see, if I authenticate with my Laravel application, I receive the session in a cookie in my storage client-side. All well and good, and expected.
However, if I then request some data, and then proceed to log out of my application, then send a request for data with a previous request in the network tab, I get the data returned, despite having previously attempted to unauthenticated with Laravel. This seems to me like Laravel has not invalidated the previous session.
Take the following scenario:
- Send GET to /sanctum/csrf-cookie
- Send POST to /auth/login with above cookie (and auth creds)
- Send GET to /auth/user with above cookie (receive auth user back)
- Send POST to /auth/logout with above cookie
- Session should be invalidated
- Send POST to /auth/user (using first cookie, or resend first /auth/user request in network tab)
- I get the /auth/user data back, after attempting to logout
I can't fathom that Laravel would allow this to be a thing, so I'm somewhat confident there's a step I'm missing somewhere.
The following is what I have in my logout controller at present; I've tried with and without the web guard, with and without the session invalidate calls. Is there a "right" way of doing this, or is this just some flaw in the way cookie-based sessions work; are they only stored client-side? Should I be able to request data again and be authenticated?
Auth::guard('web')->logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
当使用
cookiesession> auth :: guard('web'') - > logout(); 在我的注销Web路由中,我遇到了同一问题。虽然我找不到任何文档来支持这一点,但我相信这是因为cookie仅存储在此配置中的客户端。将驱动程序从
cookie更改为数据库通过保持会话数据服务器端来解决问题,注销功能能够使其无效,并且先前发行的cookie将不再起作用。“ https://laravel.com/docs/9.x/session#database”的说明进行说明。
为了进行此更改,我们可以按照数据库会话驱动程序,您将需要创建一个表以包含会话记录。 [...]您可以使用
session:Table工匠命令来生成此迁移。完成此操作后,更新
session_driver在您的.env文件中,cookiedatabaseI ran into the same issue when using the
cookiesession driver andAuth::guard('web')->logout();in my logout web route. While I couldn't find any documentation to support this, I believe it's because the cookie is only stored client side in this configuration.Changing the driver from
cookietodatabasesolved the issue by keeping the session data server side, the logout function is able to invalidate it and previously issued cookies will no longer work.To make this change we can follow the instructions from the Laravel docs:
When using the
databasesession driver, you will need to create a table to contain the session records. [...] You may use thesession:tableArtisan command to generate this migration.Once this is done update the
SESSION_DRIVERoption in your.envfile fromcookietodatabase