問題描述

我正在開發(fā)一個包含多個子應用程序的應用程序，我想在 30 分鐘不活動后實現自動注銷.我有一個使用 Bootstrap.php 映射到自定義/login 和/logout 路由的登錄和注銷操作的 AuthController 以及如下所示的前端控制器插件:

I'm working on an application that houses several sub applications and I'd like to implement an auto logout after 30 minutes of inactivity. I have an AuthController with login and logout actions mapped to custom /login and /logout routes using the Bootstrap.php as well as a front controller plugin that looks like this:

class Plugin_SessionTrack extends Zend_Controller_Plugin_Abstract {

    public function preDispatch(Zend_Controller_Request_Abstract $request)
    {  

        $employeeSession = new Zend_Session_Namespace('employeeSession');
        $employeeSession->setExpirationSeconds(10);

    }
}

我是 PHP 和 Zend 的新手，10 秒后會話到底發(fā)生了什么?我將它設置為低以進行測試.我希望發(fā)生的是，如果通過前端控制器插件的最后一個請求的時間大于 30 分鐘前，則銷毀會話并注銷用戶并將其重定向到/login.

I'm new to PHP and Zend, what exactly is happening to the session after 10 seconds? I have it set low for testing. What I'd like to have happen is if the time of the last request through the front controller plugin was greater than 30 minutes ago, destroy the session and log the user out and redirect them to /login.

我可以清楚地看到我沒有跟蹤上次請求的時間，但我希望每次用戶通過這個 preDispatch 方法收到請求時都會刷新 setExpirationSeconds.

I can see obviously that I'm not tracking the time of the last request but my hope was that the setExpirationSeconds would be refreshed each time the user has a request come through this preDispatch method.

也許需要使用 cookie?我不需要實際啟動注銷操作，它可以在用戶下次發(fā)出請求時處理，如果他們在過去半小時內沒有做任何事情，會話就會被銷毀并且他們被注銷，這意味著如果我走開 45 分鐘，我的屏幕看起來仍然相同，但是如果我單擊鏈接或嘗試提交我已創(chuàng)建的表單，它會將我發(fā)送到/login.稍后我可以擔心某種類型的 JS 倒計時警告.

Maybe a cookie needs used? I don't need to actually initiate a logout action, it can just be handled the next time the user makes a request, if they've not done anything in the last half hour the session is destroyed and they're logged out, meaning if I walk away for 45 minutes my screen still looks the same but if I click a link or try and submit a form I had up it sends me to /login. I can worry about some type of JS countdown warning later.

如果有人想看，這是我的引導程序:

Here's my bootstrap if anyone wants to see it:

class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
{
    /**
     * Custom routes:
     * 
     * /login
     * /logout
     */
    protected function _initRoutes()
    {

        $router = Zend_Controller_Front::getInstance()->getRouter();

        $loginRoute = new Zend_Controller_Router_Route('login', array('controller' => 'auth', 'action' => 'login'));

        $logoutRoute = new Zend_Controller_Router_Route('logout', array('controller' => 'auth', 'action' => 'logout'));

        $routesArray = array('login' => $loginRoute, 'logout' => $logoutRoute);

        $router->addRoutes($routesArray);

    }

    protected function _initPlugins()
    {

        $frontController = Zend_Controller_Front::getInstance();
        $frontController->registerPlugin(new Plugin_SessionTrack());

    }
}

推薦答案

當您調用 Zend_Session::setExpirationSeconds(10) 時，會話本身實際上在 10 秒后沒有發(fā)生任何事情.

When you call Zend_Session::setExpirationSeconds(10), nothing is actually happening to the session after 10 seconds time per se.

這個調用導致 Zend_Session 存儲一個內部值，該值標記該會話命名空間從調用時間開始在 time() + $seconds 到期.每次 Zend_Session 開始時，它都會檢查是否有任何會話數據被標記為過期，如果是，則繼續(xù)檢查是否過期時間或跳數已經過去.如果是這種情況，則有問題的會話數據在初始化時未設置，因此您的應用程序無法再訪問.

This call causes Zend_Session to store an internal value marking that session namespace for expiration at time() + $seconds from the time the call is made. Each time a Zend_Session starts, it checks to see if any session data is marked for expiration, and if so proceeds to check to see if the expiration time or hop count has passed. If that is the case, then the session data in question is unset at initialization, and is therefore no longer accessible by your application.

如果您在每次請求開始時進行此調用，它應該會在每次加載頁面時繼續(xù)將會話的生命周期延長數秒.

If you make this call at the beginning of every request, it should continue to prolong the life of the session by that many seconds on each page load.

請記住，如果 php.ini 中的會話設置被設置為在 15 分鐘后過期，將命名空間設置為在 60 分鐘后過期不會覆蓋 PHP 的 15 分鐘會話生存期.您可以在 application.ini 文件中對 PHP 的會話指令進行此類調整.

Keep in mind that if the session settings in php.ini are set to expire the session after 15 minutes, setting a namespace to expire after 60 minutes will not override PHP's session lifetime of 15 minutes. You can make such adjustments to PHP's session directives in your application.ini file.

在命名空間上設置過期時間還有一個好處，那就是自動刪除一些會話數據，而不必破壞整個會話.

Setting an expiration on the namespace also has the advantage of automatically removing some session data without having to destroy the entire session.

我不知道您的應用程序的具體情況，但您可以使用該插件來檢查它們是否已注銷并將請求轉發(fā)到您的登錄頁面.您可以在創(chuàng)建命名空間后檢查有效登錄，但您還需要確保當前請求不是登錄嘗試.或者，您可以推遲檢查插件中的有效登錄信息，然后讓您的 ACL 稍后在控制器級別進行處理.

I don't know the specifics of your application, but you could use the plugin to check and see if they are logged out and forward the request to your login page. You could check for a valid login after creating the namespace, but you also would want to make sure that the current request wasn't a login attempt. Or you could just defer checking for valid login in the plugin and let your ACL handle that later at the controller level.

您可能還想查看 Zend_Auth，您可以使用它來持久化會話中的身份.身份可以是任何東西，從指示他們是否已登錄的簡單布爾值到實現 Zend_Acl_Role_Interface 的完整用戶對象.Zend Auth 也很容易擴展，因此您可以通過為每個實例使用不同的命名空間來同時激活多個 Zend_Auth 會話，并且可以讓您的自定義身份驗證類為不同的會話命名空間設置不同的時間限制.

You may also want to look into Zend_Auth which you can use to persist an identity in the session. The identity can be anything from a simple boolean value indicating if they are logged in, to a full blown user object that implements Zend_Acl_Role_Interface. Zend Auth is also easily extended so you can have multiple Zend_Auth sessions active at the same time by using different namespaces for each instance, and could have your custom auth class set different time limits on different session namespaces.

我希望這有助于回答您的問題，如果您對我所說的有任何疑問，請隨時發(fā)表評論.

I hope that helps answer your question, feel free to comment if you have questions on what I said.

我測試了以下代碼，它在設定的時間后成功使我的 Zend_Auth 身份過期.我在 60 秒內對其進行了低測試，在等待 60 秒加載頁面后，我不再擁有身份并被注銷".您可以將此添加到您的會話跟蹤插件中.

I tested the following code and it successfully expired my Zend_Auth identity after the set time. I tested it low with 60 seconds and after waiting 60 seconds to load the page, I no longer had and identity and was "logged out". You could add this to your session track plugin.

<?php
$auth = Zend_Auth::getInstance();

if ($auth->hasIdentity()) { // user is logged in
    // get an instance of Zend_Session_Namespace used by Zend_Auth
    $authns = new Zend_Session_Namespace($auth->getStorage()->getNamespace());

    // set an expiration on the Zend_Auth namespace where identity is held
    $authns->setExpirationSeconds(60 * 30);  // expire auth storage after 30 min
}

這篇關于Zend Framework 不活動后自動注銷的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！