dongshai8330 2012-03-12 11:12
浏览 8
已采纳

Zend框架记住我 - 工作问题

I have used the remember me functionality in my site using the following package : http://www.jasperrooswinkel.com/unexpected-expiration-of-zend_auth-sessions/. It is working fine. But I face a problem that, a deleted user can access accounts just because of stay signed in.

The scenario is as follows:

  1. User login after setting keep me logged in.
  2. He leave the system shut down without signing out.
  3. His account being deleted on that day evening.
  4. He takes the site on next day morning.

As he had set stay signed in, he gets his session and he could post a story and do what ever in his account without knowing the fact that his account has got deleted on previous day. Also, I have set remember for 14 days.

Any ideas how to solve this issue?

Thanks

  • 写回答

6条回答 默认 最新

  • doulou9927 2012-03-12 20:51
    关注

    Extending the session's expiration time for more than a few hours is a bad idea for many reasons, not just because you're keeping sessions of deleted users. There's also a performance and security issues related to the fact you're keeping active session (with session_id) in your database / session storage.

    See persisted login with Zend_Session::rememberMe.

    In any case, you should revalidate your user account on each page load, to make sure his user still exists and active:

    I've created a revalidate function which I call on every page load. The function is called from the controller's init() function before the user can do anything.

     public static function revalidate() {
        $userData = self::getIdentity();

        $modelUsers = new \Model_Users();
        $user = $modelUsers->fetchWithEmail($userData['email']);

        if ($user instanceof \Model_User) {
            if ($user->getRoleType() == 'ACCOUNT') {
                return $user;
            }
        }
        return false;
    }
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(5条)

报告相同问题?

悬赏问题

  • ¥100 连续两帧图像高速减法
  • ¥15 组策略中的计算机配置策略无法下发
  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作
  • ¥15 用友U8:向一个无法连接的网络尝试了一个套接字操作,如何解决?
  • ¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)
  • ¥50 mac mini外接显示器 画质字体模糊
  • ¥15 TLS1.2协议通信解密
  • ¥40 图书信息管理系统程序编写