Laravel cookie 存储在每几次访问后都会被超出

Question

我对 laravel 的remember me功能有点问题。 通常，laravel 添加一个session cookie 、一个xsrf 令牌和一个带有随机 hash 值的第三个 cookie 。 （下图）

当我按照正常的 login-do stuff-logout-repeat 程序进行操作时，一切正常。 没有添加额外的 cookies。

如果我登录，关闭浏览器，然后再次访问该站点，就会添加另一个 cookie。 这个看起来像第三块饼干。 在重复这个特定的流程时，我看到有一个主要的 cookie 膨胀。 我什至不确定所有这些都会被使用。 （下图）

当我在登录时检查remember me时，会添加另一个remember_me令牌。 当我关闭浏览器 window 并再次访问该站点时，我会自动登录。 与上述情况类似，当我重复此过程几次时，会添加越来越多的 cookies。 （下图）

最终，我收到一条错误消息

Bad request Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.

Cookie

在那之后网站甚至没有打开，除非我手动清除 cookies。

我的问题是，当我通过上述方案 go 时，如何删除旧的 cookies？ Laravel 有什么办法可以解决我可能遗漏的问题吗？ 当每次访问都会生成一个新的 cookie 时，有什么方法可以删除旧的 cookie？

唯一最接近我的问题是这个，但答案对我不起作用。

我正在使用 Laravel 的AuthController和我的session.php看起来像这样：

<?php

return [

    /*
    |--------------------------------------------------------------------------
    | Default Session Driver
    |--------------------------------------------------------------------------
    |
    | This option controls the default session "driver" that will be used on
    | requests. By default, we will use the lightweight native driver but
    | you may specify any of the other wonderful drivers provided here.
    |
    | Supported: "file", "cookie", "database", "apc",
    |            "memcached", "redis", "array"
    |
    */

    'driver' => env('SESSION_DRIVER'),

    /*
    |--------------------------------------------------------------------------
    | Session Lifetime
    |--------------------------------------------------------------------------
    |
    | Here you may specify the number of minutes that you wish the session
    | to be allowed to remain idle before it expires. If you want them
    | to immediately expire on the browser closing, set that option.
    |
    */

    'lifetime' => 120,

    'expire_on_close' => true,

    /*
    |--------------------------------------------------------------------------
    | Session Encryption
    |--------------------------------------------------------------------------
    |
    | This option allows you to easily specify that all of your session data
    | should be encrypted before it is stored. All encryption will be run
    | automatically by Laravel and you can use the Session like normal.
    |
    */

    'encrypt' => true,

    /*
    |--------------------------------------------------------------------------
    | Session File Location
    |--------------------------------------------------------------------------
    |
    | When using the native session driver, we need a location where session
    | files may be stored. A default has been set for you but a different
    | location may be specified. This is only needed for file sessions.
    |
    */

    'files' => storage_path('framework/sessions'),

    /*
    |--------------------------------------------------------------------------
    | Session Database Connection
    |--------------------------------------------------------------------------
    |
    | When using the "database" or "redis" session drivers, you may specify a
    | connection that should be used to manage these sessions. This should
    | correspond to a connection in your database configuration options.
    |
    */

    'connection' => null,

    /*
    |--------------------------------------------------------------------------
    | Session Database Table
    |--------------------------------------------------------------------------
    |
    | When using the "database" session driver, you may specify the table we
    | should use to manage the sessions. Of course, a sensible default is
    | provided for you; however, you are free to change this as needed.
    |
    */

    'table' => 'sessions',

    /*
    |--------------------------------------------------------------------------
    | Session Sweeping Lottery
    |--------------------------------------------------------------------------
    |
    | Some session drivers must manually sweep their storage location to get
    | rid of old sessions from storage. Here are the chances that it will
    | happen on a given request. By default, the odds are 2 out of 100.
    |
    */

    'lottery' => [2, 100],

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Name
    |--------------------------------------------------------------------------
    |
    | Here you may change the name of the cookie used to identify a session
    | instance by ID. The name specified here will get used every time a
    | new session cookie is created by the framework for every driver.
    |
    */

    'cookie' => 'zpz_session',

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Path
    |--------------------------------------------------------------------------
    |
    | The session cookie path determines the path for which the cookie will
    | be regarded as available. Typically, this will be the root path of
    | your application but you are free to change this when necessary.
    |
    */

    'path' => '/',

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Domain
    |--------------------------------------------------------------------------
    |
    | Here you may change the domain of the cookie used to identify a session
    | in your application. This will determine which domains the cookie is
    | available to in your application. A sensible default has been set.
    |
    */

    'domain' => null,

    /*
    |--------------------------------------------------------------------------
    | HTTPS Only Cookies
    |--------------------------------------------------------------------------
    |
    | By setting this option to true, session cookies will only be sent back
    | to the server if the browser has a HTTPS connection. This will keep
    | the cookie from being sent to you if it can not be done securely.
    |
    */

    'secure' => false,

];

Answer 1

Cookie Header 的限制为 4096 字节（ https://stackoverflow.com/a/52492934/49114 ），您会收到此错误，因为加密的 cookie 非常大，并且每个创建的 cookie 都会向 cookie 头添加越来越多的字节。

可能的解决方案：

1. 将大量数据存储在数据库而不是 cookie 上，并将 cookie 仅用于参考。
2. 使用'encrypt' => false,禁用 cookie 加密'encrypt' => false,并避免将敏感信息存储到 cookie 中。
3. 禁用 laravel 加密 cookie 并将您自己的加密添加到 cookie 内容。

Answer 2

有同样的问题，最后意识到我在这些行中配置了错误的.env：

SESSION_DOMAIN=.mydomain.sk
SANCTUM_STATEFUL_DOMAINS=mydomain.sk

应该：

SESSION_DOMAIN=.mydomain.sk
SANCTUM_STATEFUL_DOMAINS=.mydomain.sk

这些评论很有帮助： https://github.com/laravel/framework/issues/31442