我正在构建一个基于 PHP 的 Web 应用程序,并实现了一个基于会话变量的登录方法。在加载任何内容之前,此方法会清除所有在网站上花费 X 时间且未加载新页面或重新加载同一页面的用户的“登录”状态。现在这工作得很好,但是这只在页面加载时进行检查并且不寻找鼠标/键盘活动(考虑填写长表格)。
此处提出了类似的问题,但从未质疑过代码的安全漏洞。我还找到了Paul Irish 的解决方案,但也没有找到任何关于安全性的参考。
如果我保持“绝对超时”服务器端,javascript代码可能会被停用/拦截,这是否是一种现实的恐惧?其他大型网络应用程序设计师是如何做到的?
There's a number of inter-related issues here. My approach is that this can be done entirely server-side first, and then a JavaScript improvement added atop such that it doesn't matter if the client-side stuff fails to run.
The core of the solution is to set a last_seen time on the server when the user logs on. Whenever you detect any user activity (either a page rendering or an AJAX response), check whether this time is within acceptable bounds for you, and if it is overwrite it with the current time. If it is outside of the current bounds, destroy the session on the server side, and force a redirect to the login page, with a suitable message.
Once you have done that, there is no way that server-side value can be tinkered with, unless the user artificially refreshes their page pointlessly in order to avoid the timeout - but in that case, you would be unable to determine the difference between a "real" page request and one designed just to reset the session timer. If you are worried about malicious software on the user's computer, or an advanced man-in-the-middle attack on the user's connection, then you've got bigger problems than session timeout anyway.
Once this is set up, you may wish to use JavaScript to run a timer on each page that automatically shows the logged-off-automatically message. Just set this timer for the same length of time as your timeout, and of course restart it if an AJAX operation is triggered on the page. You could inject this message into the DOM, rather than redirecting, so if the user is filling out a form, they don't lose their work.
As you say, you could always detect form key-strokes to reset the timer. To do so, send an AJAX operation to the server that answers with an empty reply - that will send the cookie automatically - just ensure that your standard session code is run here too. Do use a JavaScript timer so that you don't send an AJAX op for every press - if it sometimes goes ten seconds later than the key press, then you'll not overwhelm the connection and you'll ensure your application remains speedy.