問題描述

我正在使用 Zend_Session 來管理我的用戶會話，并且我希望在我的應用程序中實現記住我"選項，以使用戶保持登錄狀態 2 周左右.

I'm using Zend_Session to manage my user sessions, and I was looking to implement a "Remember Me" option in my application to keep users logged in for 2 weeks or so.

我注意到 Zend_Session 已經有一個名為 Zend_Session::rememberMe 的內置函數，但是我不確定該函數邏輯是否正確使用作為持久登錄.

I've noticed that Zend_Session already has a built-in function called Zend_Session::rememberMe, however I'm not sure if that function logic is correct to use as a persisted login.

本質上，rememberMe 功能只是延長活動會話的到期日期，這意味著如果用戶使用記住我選項，他將在活動會話中保持登錄狀態 2 周.

Essentially, the rememberMe function just extend the active session expiration date, which means if the user use the remember me option, he'll stayed logged in for 2 weeks with an active session.

這帶來了兩個主要問題.

This brings up 2 major issues.

1. 我將會話存儲在數據庫中，這意味著所有這些非活動用戶都在我的會話表中存儲了 2 周.我有超過 5 萬個非活動會話，這影響了應用程序的性能.
2. 我想知道用戶是否在 24 小時不活動后回到網站，并重新驗證他的信息.由于他的會話保持開放，我無法確定他是在 1 小時還是 1 周后回來，因為他的活動會話 ID 相同.

我讀過，如果我想實現記住我的功能，我不應該為此使用會話 cookie，我應該創建另一個登錄 cookie"來記住散列的 user_id 和令牌.這是完整的解釋:什么是實現記住我"的最佳方式用于網站?

I've read that if I want to implement a remember me feature, I shouldn't use the session cookie for that, and I should create another "login cookie" to remember a hashed user_id and a token. here's the complete explanation: What is the best way to implement "remember me" for a website?

那么為什么zend框架提供這樣的功能，如果使用它會產生性能和安全問題?

So why does zend framework offers such a function, if using it can create performance and security issues?

推薦答案

+1 指出 Zend 的記住我"功能方法背后的主要缺陷.有些人不明白，無論會話處理程序是基于文件還是基于數據庫，當他們嘗試延長會話生命周期時都會受到懲罰.允許陳舊的會話在合理的時間范圍內持續存在是一個薄弱的解決方案，您最好實施您提供的鏈接中概述的自定義 cookie 解決方案.

+1 for noting the major flaw behind Zend's approach to the 'remember me' functionality. Some people don't understand there is a penalty to be had when they attempt to extend the session lifetime, regardless of the session handler being file or db based. Allowing stale sessions to persist beyond a reasonable time-frame is a weak solution and you are better off implementing a custom cookie solution outlined by the link you provided.

直接回答您的問題；誰知道.也許他們沒有考慮到許多用戶選擇數據庫會話處理的事實，并且認為在文件系統上堆積陳舊的會話 cookie 對性能沒有直接影響.

The direct answer to your question; who knows. Maybe they didn't consider the fact that many users opt for database session handling, and figured piling up stale session cookies on the filesystem had no direct impact on performance.

此外，如果您想跟蹤用戶是否回來并重新建立過時的會話，您可以在會話跟蹤表中添加一個updated_at"列.那么你會有兩個時間戳列；created_at 和 updated_at，這將幫助您做出此決定.

Also, if you wanted to track if a user came back and re-established a stale session, you could add a 'updated_at' column to your session tracking table. So then you would have two timestamp columns; created_at and updated_at, which would help you make this determination.

這篇關于使用 Zend_Session::rememberMe 持久登錄的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！