PHP,cookie和快速浏览器刷新
[英]PHP, cookies, and rapid browser refresh
问题描述
For my login system, I have a token value that changes every time authentication occurs. 
对于我的登录系统,我有一个令牌值,每次验证发生时都会更改。 Authentication occurs every time any page is accessed (by looking for token cookies and sessions ad such), as well as every $.ajax call (my thought is that I would want to ensure the user is authenticated at all times, and if ever authentication fails with a bad token or series or whatever, the system would automatically completely log out). 每次访问任何页面时都会进行身份验证(通过查找令牌cookie和会话广告等),以及每次$.ajax调用(我的想法是我希望确保用户始终进行身份验证,以及是否进行身份验证失败的令牌或系列或其他什么,系统会自动完全注销)。 During the authentication process, when it is determined that the current session is valid, a new token is generated, and that token is set as a cookie as well as updated in a MySQL table, as such: 在身份验证过程中,当确定当前会话有效时,会生成一个新令牌,并将该令牌设置为cookie并在MySQL表中更新,如下所示:
$newtoken = hash("sha256", mt_rand());
my_mysqli_query($link,
'UPDATE _rememberme SET token = "'.$newtoken.'", lastupdated = "'.now().'"
WHERE series = "'.$series.'" AND email = "'.$email.'"');
setmycookie("token", $newtoken, 7);
When I rapidly refresh the browser, it ends up that the MySQL token and the cookie token do not match. 当我快速刷新浏览器时,它最终导致MySQL令牌和cookie令牌不匹配。 I think that the problem is that during a rapid refresh, the MySQL table gets updated, but then a refresh occurs and the script aborts before updating the cookie. 我认为问题在于,在快速刷新期间,MySQL表会更新,但随后会发生刷新,脚本会在更新cookie之前中止。 This causes future authentication failures because the cookie token doesn't match the MySQL token. 这会导致将来的身份验证失败,因为cookie令牌与MySQL令牌不匹配。
I would really appreciate some ideas on how to survive a user rapidly refreshing their browser. 我真的很感激如何让用户快速刷新浏览器的一些想法。
I have researched this issue and had little success in finding a solution. 我已经研究过这个问题,并且在找到解决方案方面收效甚微。
1 个解决方案
解决方案1
1 2016-01-08 12:21:15
Your solution adds nothing to the security, and adds a great source of headache to your users. 您的解决方案不会增加安全性,并为您的用户增添了一个令人头疼的问题。
If you use PHP Sessions , you don't have to rely on multiple cookies, and don't have to hash everything on every access. 如果您使用PHP会话 ,则不必依赖多个cookie,也不必在每次访问时对所有内容进行哈希处理。 Having sessions in place will increase the security, as your users will not be able to change their session variables. 准备会话将提高安全性,因为您的用户将无法更改其会话变量。 A cookie is user-modifiable, so you can't blindly trust them. Cookie是用户可修改的,因此您不能盲目信任它们。 A user can change the PHPSESSION cookie, though, but the chances of changing the session to another one is so, so small that is almost impossible. 但是,用户可以更改PHPSESSION cookie,但是将会话更改为另一个会话的可能性非常小,几乎不可能。
With your current code, if a user opens a link on a new tab, and before the request returns he opens another link, he will be logged off. 使用当前代码,如果用户在新选项卡上打开链接,并且在请求返回之前打开另一个链接,他将被注销。 The cookie will change on the first request, but before the browser gets the new value, the user submits another request with the old cookie. cookie将在第一个请求时更改,但在浏览器获取新值之前,用户会使用旧cookie提交另一个请求。 The new value is on the database, the new request with the old value is processed, and the session is invalidated. 新值在数据库上,处理具有旧值的新请求,并且会话无效。 Another unhappy user confused because he was randomly logged off. 另一个不满意的用户感到困惑,因为他被随机注销。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.