我目前正在使用Symfony 2.1.8和内置PdoSessionHandler。
我想在会话表中添加user_id字段,以识别会话所属的(登录)用户。我的想法是,我可以强制用户重新登录以破坏他的会话。在我的情况下,如果更新了用户的权限,就会发生这种情况。
我查看了由于那些愚蠢的私有变量而无法扩展的内置PdoSessionHandler。
所以我尝试创建一个新的(复制/粘贴)并添加我的列user_id。
现在,如果用户未登录(匿名用户),则此列可以为null。
所以我想在处理程序的write方法中编写这个user_id。用户已存储在$data中,因此我认为我可以检查此用户是否存在,抓住其id并将其添加到插入/更新查询中。
问题是$data是编码的 - 我想是通过session_encode() - 所以我不确定这是处理我的新领域的最好的地方,但同时我不能看到我能做的其他地方,因为我需要更新这个MySQL查询以插入新字段的值。
所以我的问题是:处理这个额外字段的最佳位置在哪里?以及如何设置此user_id值?
另一方面,令人讨厌的是,Symfony每次登录或退出时都会创建一个新cookie。因此,数据库最终会有大量的记录(它总是相同的用户)。为什么Symfony始终没有使用相同的Cookie值?
答案 0 :(得分:5)
你可以扩展PdoSessionHandler(> = Symfony 2.1的解决方案):
namespace Acme\DemoBundle\HttpFoundation\Session\Storage\Handler;
use Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler;
use Symfony\Component\Security\Core\SecurityContext;
class UserIdPdoSessionHandler extends PdoSessionHandler
{
/**
* @var \PDO PDO instance.
*/
private $pdo;
/**
* @var array Database options.
*/
private $dbOptions;
/**
* @var SecurityContext
*/
private $context;
public function __construct(\PDO $pdo, array $dbOptions = array(), SecurityContext $context)
{
$this->pdo = $pdo;
$this->dbOptions = array_merge(
array('db_user_id_col' => 'user_id'),
$dbOptions
);
$this->context = $context;
parent::__construct($pdo, $dbOptions);
}
public function read($id)
{
// get table/columns
$dbTable = $this->dbOptions['db_table'];
$dbDataCol = $this->dbOptions['db_data_col'];
$dbIdCol = $this->dbOptions['db_id_col'];
try {
$sql = "SELECT $dbDataCol FROM $dbTable WHERE $dbIdCol = :id";
$stmt = $this->pdo->prepare($sql);
$stmt->bindParam(':id', $id, \PDO::PARAM_STR);
$stmt->execute();
// it is recommended to use fetchAll so that PDO can close the DB cursor
// we anyway expect either no rows, or one row with one column. fetchColumn, seems to be buggy #4777
$sessionRows = $stmt->fetchAll(\PDO::FETCH_NUM);
if (count($sessionRows) == 1) {
return base64_decode($sessionRows[0][0]);
}
// session does not exist, create it
$this->createNewSession($id);
return '';
} catch (\PDOException $e) {
throw new \RuntimeException(sprintf('PDOException was thrown when trying to read the session data: %s', $e->getMessage()), 0, $e);
}
}
/**
* {@inheritDoc}
*/
public function write($id, $data)
{
// get table/column
$dbTable = $this->dbOptions['db_table'];
$dbDataCol = $this->dbOptions['db_data_col'];
$dbIdCol = $this->dbOptions['db_id_col'];
$dbTimeCol = $this->dbOptions['db_time_col'];
$dbUserIdCol = $this->dbOptions['db_user_id_col'];
//session data can contain non binary safe characters so we need to encode it
$encoded = base64_encode($data);
$userId = $this->context->isGranted('IS_AUTHENTICATED_REMEMBERED') ?
$this->context->getToken()->getUser()->getId() :
null
;
try {
$driver = $this->pdo->getAttribute(\PDO::ATTR_DRIVER_NAME);
if ('mysql' === $driver) {
// MySQL would report $stmt->rowCount() = 0 on UPDATE when the data is left unchanged
// it could result in calling createNewSession() whereas the session already exists in
// the DB which would fail as the id is unique
$stmt = $this->pdo->prepare(
"INSERT INTO $dbTable ($dbIdCol, $dbDataCol, $dbTimeCol, $dbUserIdCol) VALUES (:id, :data, :time, :user_id) " .
"ON DUPLICATE KEY UPDATE $dbDataCol = VALUES($dbDataCol), $dbTimeCol = VALUES($dbTimeCol)"
);
$stmt->bindParam(':id', $id, \PDO::PARAM_STR);
$stmt->bindParam(':data', $encoded, \PDO::PARAM_STR);
$stmt->bindValue(':time', time(), \PDO::PARAM_INT);
$stmt->bindParam(':user_id', $userId, \PDO::PARAM_STR);
$stmt->execute();
} elseif ('oci' === $driver) {
$stmt = $this->pdo->prepare("MERGE INTO $dbTable USING DUAL ON($dbIdCol = :id) ".
"WHEN NOT MATCHED THEN INSERT ($dbIdCol, $dbDataCol, $dbTimeCol, $dbUserIdCol) VALUES (:id, :data, sysdate, :user_id) " .
"WHEN MATCHED THEN UPDATE SET $dbDataCol = :data WHERE $dbIdCol = :id");
$stmt->bindParam(':id', $id, \PDO::PARAM_STR);
$stmt->bindParam(':data', $encoded, \PDO::PARAM_STR);
$stmt->bindParam(':user_id', $userId, \PDO::PARAM_STR);
$stmt->execute();
} else {
$stmt = $this->pdo->prepare("UPDATE $dbTable SET $dbDataCol = :data, $dbTimeCol = :time WHERE $dbIdCol = :id");
$stmt->bindParam(':id', $id, \PDO::PARAM_STR);
$stmt->bindParam(':data', $encoded, \PDO::PARAM_STR);
$stmt->bindValue(':time', time(), \PDO::PARAM_INT);
$stmt->execute();
if (!$stmt->rowCount()) {
// No session exists in the database to update. This happens when we have called
// session_regenerate_id()
$this->createNewSession($id, $data);
}
}
} catch (\PDOException $e) {
throw new \RuntimeException(sprintf('PDOException was thrown when trying to write the session data: %s', $e->getMessage()), 0, $e);
}
return true;
}
private function createNewSession($id, $data = '')
{
// get table/column
$dbTable = $this->dbOptions['db_table'];
$dbDataCol = $this->dbOptions['db_data_col'];
$dbIdCol = $this->dbOptions['db_id_col'];
$dbTimeCol = $this->dbOptions['db_time_col'];
$dbUserIdCol = $this->dbOptions['db_user_id_col'];
$userId = $this->context->isGranted('IS_AUTHENTICATED_REMEMBERED') ?
$this->context->getToken()->getUser()->getId() :
null
;
$sql = "INSERT INTO $dbTable ($dbIdCol, $dbDataCol, $dbTimeCol, $dbUserIdCol) VALUES (:id, :data, :time, :user_id)";
//session data can contain non binary safe characters so we need to encode it
$encoded = base64_encode($data);
$stmt = $this->pdo->prepare($sql);
$stmt->bindParam(':id', $id, \PDO::PARAM_STR);
$stmt->bindParam(':data', $encoded, \PDO::PARAM_STR);
$stmt->bindValue(':time', time(), \PDO::PARAM_INT);
$stmt->bindParam(':user_id', $userId, \PDO::PARAM_STR);
$stmt->execute();
return true;
}
}
配置会话以使用它:
# config.yml
framework:
session:
# ...
handler_id: session.storage.custom
parameters:
pdo.db_options:
db_table: session
db_id_col: session_id
db_data_col: session_value
db_time_col: session_time
db_user_id_col: session_user_id
services:
pdo:
class: PDO
arguments:
dsn: "mysql:host=%database_host%;dbname=%database_name%"
user: "%database_user%"
password: "%database_password%"
session.storage.custom:
class: Acme\DemoBundle\HttpFoundation\Session\Storage\Handler\UserIdPdoSessionHandler
arguments: [ @pdo, "%pdo.db_options%", @security.context ]
答案 1 :(得分:3)
我不确定修改会话是个好主意,您可以将会话ID存储在用户实体中,并在需要时删除它们。这样,您可以确保只有用户一次只能登录一个会话。
实现它的最简单方法是使用登录侦听器。
将sessionId字段添加到用户实体(或文档或您使用的任何持久性):
// Acme/UserBundle/Entity/User.php
namespace Acme\UserBundle\Entity;
use Doctrine\ORM\Mapping as ORM;
/**
* ORM\Entity
* @ORM\Table(name="fos_user")
*/
class User {
// ...
/**
* @ORM\Column(name="session_id", type="string")
*/
private $sessionId;
public function getSessionId() {
return $this->sessionId;
}
public function setSessionId($sessionId = null) {
$this->sessionId = $sessionId;
return $this;
}
}
添加一个监听器:
namespace Dbla\UserBundle\Listener;
use Symfony\Component\HttpFoundation\Session;
use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
class LoginListener
{
protected $doctrine;
protected $session;
public function __construct(Session $session, Registry $doctrine)
{
$this->doctrine = $doctrine;
$this->session = $session;
}
public function onLogin(InteractiveLoginEvent $event)
{
$user = $event->getAuthenticationToken()->getUser();
if ($user) {
$user->setSessionId($this->session->getId());
$em = $this->doctrine->getEntityManager();
$em->persist($user);
$em->flush();
}
}
}
并将其添加为服务:
services:
acme_user.listsner.login:
class: Acme\UserBundle\Listener\LoginListener
arguments: [ @session, @doctrine ]
tags:
- { name: kernel.event_listener, event: security.interactive_login, method: onLogin }
然后您可以简单地删除用户的会话:
$users = []; // ... get user list
$sessionIds = array_map(function($user) {
return $user->getId();
});
if (count(sessionIds) > 0) {
$sql = 'DELETE FROM session WHERE session_id IN (' . implode($sessionIds, ',') . ')';
$entityManager->getConnection()->exec($sql);
}
foreach ($users as $user) {
$user->setSessionId(null);
$entityManager->persist($user);
}
$entityManager->flush();