overtrue/socialite

必须依赖session吗?

pslxx opened this issue · 5 comments

pslxx commented

必须依赖session吗?

https://auth0.com/docs/protocols/oauth2/oauth-state

Auth0 Docs
Explains how to use the state parameter in authentication requests to help prevent CSRF attacks and restore state

state 参数目前比较合适的方式就是使用 session 存储

@pslxx 可以使用redis啊,继承sessionHaderinterface就可以了。

<?php
namespace App\Common\Cache;

use EasySwoole\RedisPool\Redis;

class RedisSessionHandler implements \SessionHandlerInterface
{

    private $handle;
    private $lifetime;
    private $prefix;

    public function __construct()
    {
        $this->prefix = config('SESSION_PREFIX') ?? 'redis_session';
    }

    /**
     * open session
     * @param  string $save_path
     * @param  string $session_name
     * @return bool
     */
    public function open($save_path = null, $session_name = null)
    {
        $this->handle = Redis::defer('redis');
        // 过期时间设置
        $this->lifetime = config('SESSION_LIFETIME') ?? ini_get('session.gc_maxlifetime');
        return true;
    }

    /**
     * close session
     * @return bool
     */
    public function close()
    {
        return true;
    }

    /**
     * read session by session_id
     * @param  string  $session_id
     * @return mixed
     */
    public function read($session_id)
    {
        $session_id = $this->prefix . $session_id;
        $data = $this->handle->get($session_id);
        $this->handle->expire($session_id, $this->lifetime);
        return $data;
    }

    /**
     * write session by session_id
     * @param  string  $session_id
     * @param  string  $session_data
     * @return mixed
     */
    public function write($session_id, $session_data)
    {
        $session_id = $this->prefix . $session_id;
        $this->handle->set($session_id, $session_data);
        return $this->handle->expire($session_id, $this->lifetime);
    }

    /**
     * delete session_id
     * @param  string  $session_id
     * @return mixed
     */
    public function destroy($session_id)
    {
        return $this->handle->del($this->prefix . $session_id);
    }

    /**
     * this function is no use because of redis expire
     * @param  int    $maxlifetime
     * @return bool
     */
    public function gc($maxlifetime)
    {
        return true;
    }
}
pslxx commented

@pslxx 可以使用redis啊,继承sessionHaderinterface就可以了。

<?php
namespace App\Common\Cache;

use EasySwoole\RedisPool\Redis;

class RedisSessionHandler implements \SessionHandlerInterface
{

    private $handle;
    private $lifetime;
    private $prefix;

    public function __construct()
    {
        $this->prefix = config('SESSION_PREFIX') ?? 'redis_session';
    }

    /**
     * open session
     * @param  string $save_path
     * @param  string $session_name
     * @return bool
     */
    public function open($save_path = null, $session_name = null)
    {
        $this->handle = Redis::defer('redis');
        // 过期时间设置
        $this->lifetime = config('SESSION_LIFETIME') ?? ini_get('session.gc_maxlifetime');
        return true;
    }

    /**
     * close session
     * @return bool
     */
    public function close()
    {
        return true;
    }

    /**
     * read session by session_id
     * @param  string  $session_id
     * @return mixed
     */
    public function read($session_id)
    {
        $session_id = $this->prefix . $session_id;
        $data = $this->handle->get($session_id);
        $this->handle->expire($session_id, $this->lifetime);
        return $data;
    }

    /**
     * write session by session_id
     * @param  string  $session_id
     * @param  string  $session_data
     * @return mixed
     */
    public function write($session_id, $session_data)
    {
        $session_id = $this->prefix . $session_id;
        $this->handle->set($session_id, $session_data);
        return $this->handle->expire($session_id, $this->lifetime);
    }

    /**
     * delete session_id
     * @param  string  $session_id
     * @return mixed
     */
    public function destroy($session_id)
    {
        return $this->handle->del($this->prefix . $session_id);
    }

    /**
     * this function is no use because of redis expire
     * @param  int    $maxlifetime
     * @return bool
     */
    public function gc($maxlifetime)
    {
        return true;
    }
}

谢谢,本来问这个问题,是主要用于app和前后端分离的项目,整个项目中的认证都是无状态的,就算用redis 也是没状态识别,,现在全部用stateless.

新版 3.0 已经不依赖 $request 和 session 了哈,完全交由开发者自己决定,具体使用请参考文档。