无需记住我令牌的Laravel身份验证
[英]Laravel authentication without remember me token
问题描述
I am using Laravel 4.2's authentication mechanism and I am trying to figure out when and how the "remember me" cookie token gets set. 
我正在使用Laravel 4.2的身份验证机制,并且试图弄清楚何时以及如何设置“记住我” cookie令牌。
For some reason when I do the following code, even though the second parameter is false , when I close the browser and reopen it I still get logged in automatically without needing to type in the username and password. 由于某些原因,当我执行以下代码时,即使第二个参数为false ,当我关闭浏览器并重新打开它时,我仍然会自动登录,而无需键入用户名和密码。 So practically it is always acting as if the 'Remember Me' is checked, even if it is false . 因此,即使它为false ,实际上它始终就像选中“ Remember Me”一样。
My authentication code: 我的验证码:
//called on POST of login page with credentials
$userdata = array(
'email' => Input::get('email'),
'password' => Input::get('password')
);
// attempt to do the login
if (Auth::attempt($userdata, false))
{
//redirect to main secure page
My check on the login page to check if the user was already authenticated: 我在登录页面上进行检查,以检查用户是否已通过身份验证:
//called on GET of login page
if (Auth::check())
{
//user already logged in, redirect to main secure page immediately
Even though Auth::attempt() is being passed false , the Auth::check() still returns true when I close the browser and reopen it, which normally clears any sessions. 即使Auth::attempt()被传递为false ,当我关闭浏览器并重新打开浏览器时, Auth::check()仍返回true,这通常会清除所有会话。
When I used to do authentication manually in PHP (not using Laravel's Authentication method), I used to use something like: 当我以前在PHP中手动进行身份验证(不使用Laravel的Authentication方法)时,我曾经使用过类似的方法:
//authenticate the user with the DB and get the $user object
$_SESSION['user'] = $user; //set it in the session
And then in my secure pages I would check if the user is logged in by doing: 然后在我的安全页面中,通过执行以下操作检查用户是否已登录:
if (isset($_SESSION['user']))
{
//user already logged in ...
In this case, closing the browser and reopening it cleared the session. 在这种情况下,关闭浏览器然后重新打开将清除会话。 (I just verified this again with one of my older webapps and it still behaves that way, so its not some browser issue). (我只是使用一个较旧的Webapp再次验证了这一点,它的行为仍然如此,因此它不是浏览器问题)。
Is there any reason why Laravel is not behaving in this way? Laravel不以这种方式行事有任何原因吗? If it is retaining the authentication session across browser sessions anyway, what is the point of passing the 'remember me' flag? 如果仍然在浏览器会话之间保留身份验证会话,那么传递“记住我”标志的意义是什么? Is there a way to disable this behaviour and make it work normally (ie when the browser is closed the session is no longer retained)? 有没有办法禁用此行为并使其正常工作(即,当关闭浏览器时,不再保留会话)?
1 个解决方案
解决方案1
4 已采纳 2014-10-24 01:29:46
OK seems that apart from the config/auth.php configuration there is a more detailed session configuration in config/session.php , and what I want is actually there in that file. OK看来,除了config/auth.php配置有更详细的会话配置config/session.php ,和我要的是居然有在该文件中。
The setting 'expire_on_close' => false in that file is what is causing this behaviour, and changing it to true immediately solves the issue. 该文件中的设置'expire_on_close' => false是导致此行为的原因,将其更改为true立即解决此问题。
Not sure why its false by default. 不知道为什么默认情况下为false 。 Its not secure if people just close their browser without logging out of the application (since they wouldn't have checked the 'remember me' flag they would think that the application wouldn't remember them and the session would have been destroyed), and someone else opens the browser and would be able to access the secure pages just the same. 如果人们只是关闭浏览器而不注销应用程序,那是不安全的(因为他们不会检查“ remember me”标志,他们会认为应用程序不会记住他们,并且会话将被破坏),并且其他人打开浏览器,将能够同样访问安全页面。
Anyway, posted answer in case someone needs it. 无论如何,如果有人需要,请发布答案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.