我对 Laravel 的
remember me
功能遇到了一些问题。
通常,laravel 添加一个 session cookie、一个 xsrf token 和 带有随机哈希值的 第三个 cookie。 (下图)
当我按照正常的登录-执行操作-注销-重复程序时,一切正常。 不添加额外的cookie。
如果我登录,关闭浏览器,然后再次访问该网站,则会添加另一个 cookie。这看起来像第三块饼干。在重复这个特定的流程时,我发现饼干有很大的膨胀。我什至不确定所有这些都被使用了。 (下图)
当我在登录时检查
remember me
时,会添加另一个 remember_me 令牌。当我关闭浏览器窗口并再次访问该网站时,我会自动登录。与上面的情况类似,当我重复此过程几次时,会添加越来越多的 cookie。 (下图)
最终,我收到一条错误消息
Bad request Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Cookie
此后该网站甚至无法打开,除非我手动清除 cookie。
我的问题是,当我遇到上述情况时,如何删除旧的 cookie? Laravel 有什么办法可以解决我可能缺少的问题吗?每次访问都会生成新的 cookie 时,有什么方法可以删除旧的 cookie?
唯一最接近我的问题是这个问题,但答案对我不起作用。
我正在使用 Laravel 的
AuthController
,我的 session.php
看起来像这样:
<?php
return [
/*
|--------------------------------------------------------------------------
| Default Session Driver
|--------------------------------------------------------------------------
|
| This option controls the default session "driver" that will be used on
| requests. By default, we will use the lightweight native driver but
| you may specify any of the other wonderful drivers provided here.
|
| Supported: "file", "cookie", "database", "apc",
| "memcached", "redis", "array"
|
*/
'driver' => env('SESSION_DRIVER'),
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
'lifetime' => 120,
'expire_on_close' => true,
/*
|--------------------------------------------------------------------------
| Session Encryption
|--------------------------------------------------------------------------
|
| This option allows you to easily specify that all of your session data
| should be encrypted before it is stored. All encryption will be run
| automatically by Laravel and you can use the Session like normal.
|
*/
'encrypt' => true,
/*
|--------------------------------------------------------------------------
| Session File Location
|--------------------------------------------------------------------------
|
| When using the native session driver, we need a location where session
| files may be stored. A default has been set for you but a different
| location may be specified. This is only needed for file sessions.
|
*/
'files' => storage_path('framework/sessions'),
/*
|--------------------------------------------------------------------------
| Session Database Connection
|--------------------------------------------------------------------------
|
| When using the "database" or "redis" session drivers, you may specify a
| connection that should be used to manage these sessions. This should
| correspond to a connection in your database configuration options.
|
*/
'connection' => null,
/*
|--------------------------------------------------------------------------
| Session Database Table
|--------------------------------------------------------------------------
|
| When using the "database" session driver, you may specify the table we
| should use to manage the sessions. Of course, a sensible default is
| provided for you; however, you are free to change this as needed.
|
*/
'table' => 'sessions',
/*
|--------------------------------------------------------------------------
| Session Sweeping Lottery
|--------------------------------------------------------------------------
|
| Some session drivers must manually sweep their storage location to get
| rid of old sessions from storage. Here are the chances that it will
| happen on a given request. By default, the odds are 2 out of 100.
|
*/
'lottery' => [2, 100],
/*
|--------------------------------------------------------------------------
| Session Cookie Name
|--------------------------------------------------------------------------
|
| Here you may change the name of the cookie used to identify a session
| instance by ID. The name specified here will get used every time a
| new session cookie is created by the framework for every driver.
|
*/
'cookie' => 'zpz_session',
/*
|--------------------------------------------------------------------------
| Session Cookie Path
|--------------------------------------------------------------------------
|
| The session cookie path determines the path for which the cookie will
| be regarded as available. Typically, this will be the root path of
| your application but you are free to change this when necessary.
|
*/
'path' => '/',
/*
|--------------------------------------------------------------------------
| Session Cookie Domain
|--------------------------------------------------------------------------
|
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.
|
*/
'domain' => null,
/*
|--------------------------------------------------------------------------
| HTTPS Only Cookies
|--------------------------------------------------------------------------
|
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
|
*/
'secure' => false,
];
遇到了同样的问题,最后意识到我在这些行中错误配置了 .env:
SESSION_DOMAIN=.mydomain.sk
SANCTUM_STATEFUL_DOMAINS=mydomain.sk
应该是:
SESSION_DOMAIN=.mydomain.sk
SANCTUM_STATEFUL_DOMAINS=.mydomain.sk
Cookie 标头的限制为 4096 字节(https://stackoverflow.com/a/52492934/49114),您会收到此错误,因为加密的 cookie 非常大,并且每个创建的 cookie 都会向 cookie 添加越来越多的字节标题。
可能的解决方案:
'encrypt' => false,
禁用 cookie 加密,并避免将敏感信息存储到 cookie 中。就我而言,这个问题是在设置“SESSION_DRIVER=cookie”时引起的。