Laravel cookie 存儲在每幾次訪問后都會被超出

Question

我對 laravel 的remember me功能有點問題。 通常，laravel 添加一個session cookie 、一個xsrf 令牌和一個帶有隨機 hash 值的第三個 cookie 。 （下圖）

當我按照正常的 login-do stuff-logout-repeat 程序進行操作時，一切正常。 沒有添加額外的 cookies。

如果我登錄，關閉瀏覽器，然后再次訪問該站點，就會添加另一個 cookie。 這個看起來像第三塊餅干。 在重復這個特定的流程時，我看到有一個主要的 cookie 膨脹。 我什至不確定所有這些都會被使用。 （下圖）

當我在登錄時檢查remember me時，會添加另一個remember_me令牌。 當我關閉瀏覽器 window 並再次訪問該站點時，我會自動登錄。 與上述情況類似，當我重復此過程幾次時，會添加越來越多的 cookies。 （下圖）

最終，我收到一條錯誤消息

Bad request Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.

Cookie

在那之后網站甚至沒有打開，除非我手動清除 cookies。

我的問題是，當我通過上述方案 go 時，如何刪除舊的 cookies？ Laravel 有什么辦法可以解決我可能遺漏的問題嗎？ 當每次訪問都會生成一個新的 cookie 時，有什么方法可以刪除舊的 cookie？

唯一最接近我的問題是這個，但答案對我不起作用。

我正在使用 Laravel 的AuthController和我的session.php看起來像這樣：

<?php

return [

    /*
    |--------------------------------------------------------------------------
    | Default Session Driver
    |--------------------------------------------------------------------------
    |
    | This option controls the default session "driver" that will be used on
    | requests. By default, we will use the lightweight native driver but
    | you may specify any of the other wonderful drivers provided here.
    |
    | Supported: "file", "cookie", "database", "apc",
    |            "memcached", "redis", "array"
    |
    */

    'driver' => env('SESSION_DRIVER'),

    /*
    |--------------------------------------------------------------------------
    | Session Lifetime
    |--------------------------------------------------------------------------
    |
    | Here you may specify the number of minutes that you wish the session
    | to be allowed to remain idle before it expires. If you want them
    | to immediately expire on the browser closing, set that option.
    |
    */

    'lifetime' => 120,

    'expire_on_close' => true,

    /*
    |--------------------------------------------------------------------------
    | Session Encryption
    |--------------------------------------------------------------------------
    |
    | This option allows you to easily specify that all of your session data
    | should be encrypted before it is stored. All encryption will be run
    | automatically by Laravel and you can use the Session like normal.
    |
    */

    'encrypt' => true,

    /*
    |--------------------------------------------------------------------------
    | Session File Location
    |--------------------------------------------------------------------------
    |
    | When using the native session driver, we need a location where session
    | files may be stored. A default has been set for you but a different
    | location may be specified. This is only needed for file sessions.
    |
    */

    'files' => storage_path('framework/sessions'),

    /*
    |--------------------------------------------------------------------------
    | Session Database Connection
    |--------------------------------------------------------------------------
    |
    | When using the "database" or "redis" session drivers, you may specify a
    | connection that should be used to manage these sessions. This should
    | correspond to a connection in your database configuration options.
    |
    */

    'connection' => null,

    /*
    |--------------------------------------------------------------------------
    | Session Database Table
    |--------------------------------------------------------------------------
    |
    | When using the "database" session driver, you may specify the table we
    | should use to manage the sessions. Of course, a sensible default is
    | provided for you; however, you are free to change this as needed.
    |
    */

    'table' => 'sessions',

    /*
    |--------------------------------------------------------------------------
    | Session Sweeping Lottery
    |--------------------------------------------------------------------------
    |
    | Some session drivers must manually sweep their storage location to get
    | rid of old sessions from storage. Here are the chances that it will
    | happen on a given request. By default, the odds are 2 out of 100.
    |
    */

    'lottery' => [2, 100],

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Name
    |--------------------------------------------------------------------------
    |
    | Here you may change the name of the cookie used to identify a session
    | instance by ID. The name specified here will get used every time a
    | new session cookie is created by the framework for every driver.
    |
    */

    'cookie' => 'zpz_session',

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Path
    |--------------------------------------------------------------------------
    |
    | The session cookie path determines the path for which the cookie will
    | be regarded as available. Typically, this will be the root path of
    | your application but you are free to change this when necessary.
    |
    */

    'path' => '/',

    /*
    |--------------------------------------------------------------------------
    | Session Cookie Domain
    |--------------------------------------------------------------------------
    |
    | Here you may change the domain of the cookie used to identify a session
    | in your application. This will determine which domains the cookie is
    | available to in your application. A sensible default has been set.
    |
    */

    'domain' => null,

    /*
    |--------------------------------------------------------------------------
    | HTTPS Only Cookies
    |--------------------------------------------------------------------------
    |
    | By setting this option to true, session cookies will only be sent back
    | to the server if the browser has a HTTPS connection. This will keep
    | the cookie from being sent to you if it can not be done securely.
    |
    */

    'secure' => false,

];

Answer 1

Cookie Header 的限制為 4096 字節（ https://stackoverflow.com/a/52492934/49114 ），您會收到此錯誤，因為加密的 cookie 非常大，並且每個創建的 cookie 都會向 cookie 頭添加越來越多的字節。

可能的解決方案：

1. 將大量數據存儲在數據庫而不是 cookie 上，並將 cookie 僅用於參考。
2. 使用'encrypt' => false,禁用 cookie 加密'encrypt' => false,並避免將敏感信息存儲到 cookie 中。
3. 禁用 laravel 加密 cookie 並將您自己的加密添加到 cookie 內容。

Answer 2

有同樣的問題，最后意識到我在這些行中配置了錯誤的.env：

SESSION_DOMAIN=.mydomain.sk
SANCTUM_STATEFUL_DOMAINS=mydomain.sk

應該：

SESSION_DOMAIN=.mydomain.sk
SANCTUM_STATEFUL_DOMAINS=.mydomain.sk

這些評論很有幫助： https://github.com/laravel/framework/issues/31442