如何解决Laravel CSRF会话在Heroku上到期
这是一个常见的问题,似乎有各种建议/解决方案。我已经阅读了许多以前的主题和其他资源,但是在遇到自己的问题时没有成功。
在Heroku上托管Laravel 6应用。我的session.PHP
如下:
<?PHP
return [
/*
|--------------------------------------------------------------------------
| Default Session Driver
|--------------------------------------------------------------------------
|
| This option controls the default session "driver" that will be used on
| requests. By default,we will use the lightweight native driver but
| you may specify any of the other wonderful drivers provided here.
|
| Supported: "file","cookie","database","apc",| "memcached","redis","array"
|
*/
'driver' => env('SESSION_DRIVER','file'),/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing,set that option.
|
*/
'lifetime' => 120,'expire_on_close' => false,/*
|--------------------------------------------------------------------------
| Session Encryption
|--------------------------------------------------------------------------
|
| This option allows you to easily specify that all of your session data
| should be encrypted before it is stored. All encryption will be run
| automatically by Laravel and you can use the Session like normal.
|
*/
'encrypt' => false,/*
|--------------------------------------------------------------------------
| Session File Location
|--------------------------------------------------------------------------
|
| When using the native session driver,we need a location where session
| files may be stored. A default has been set for you but a different
| location may be specified. This is only needed for file sessions.
|
*/
'files' => storage_path('framework/sessions'),/*
|--------------------------------------------------------------------------
| Session Database Connection
|--------------------------------------------------------------------------
|
| When using the "database" or "redis" session drivers,you may specify a
| connection that should be used to manage these sessions. This should
| correspond to a connection in your database configuration options.
|
*/
'connection' => env('SESSION_CONNECTION',null),/*
|--------------------------------------------------------------------------
| Session Database Table
|--------------------------------------------------------------------------
|
| When using the "database" session driver,you may specify the table we
| should use to manage the sessions. Of course,a sensible default is
| provided for you; however,you are free to change this as needed.
|
*/
'table' => 'sessions',/*
|--------------------------------------------------------------------------
| Session Sweeping Lottery
|--------------------------------------------------------------------------
|
| Some session drivers must manually sweep their storage location to get
| rid of old sessions from storage. Here are the chances that it will
| happen on a given request. By default,the odds are 2 out of 100.
|
*/
'lottery' => [2,100],/*
|--------------------------------------------------------------------------
| Session Cookie Name
|--------------------------------------------------------------------------
|
| Here you may change the name of the cookie used to identify a session
| instance by ID. The name specified here will get used every time a
| new session cookie is created by the framework for every driver.
|
*/
'cookie' => env('SESSION_COOKIE','my_app_session'),/*
|--------------------------------------------------------------------------
| Session Cookie Path
|--------------------------------------------------------------------------
|
| The session cookie path determines the path for which the cookie will
| be regarded as available. Typically,this will be the root path of
| your application but you are free to change this when necessary.
|
*/
'path' => '/',/*
|--------------------------------------------------------------------------
| Session Cookie Domain
|--------------------------------------------------------------------------
|
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.
|
*/
'domain' => env('SESSION_DOMAIN',/*
|--------------------------------------------------------------------------
| HTTPS Only Cookies
|--------------------------------------------------------------------------
|
| By setting this option to true,session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
|
*/
'secure' => env('SESSION_SECURE',false),/*
|--------------------------------------------------------------------------
| HTTP Access Only
|--------------------------------------------------------------------------
|
| Setting this value to true will prevent JavaScript from accessing the
| value of the cookie and the cookie will only be accessible through
| the HTTP protocol. You are free to modify this option if needed.
|
*/
'http_only' => true,];
我有SESSION_DRIVER=memcached
,SESSION_SECURE=true
,SESSION_DOMIN=my.heroku.host
。登录后,我有捕获401
并要求用户再次登录的代码(单击一个按钮,将其注销到后端并重定向到/login
)。
多个用户报告说,当他们收到此消息时(大概每120
session.PHP
分钟之后)并重新登录,他们立即被要求再次重新登录,就好像他们的会话已立即过期。我已经能够在Heroku上进行复制,有时我被重定向,有时我似乎得到了可怕的“页面过期419” Laravel页面。
我的登录表单上有@csrf
。登录后,每个页面顶部都会有一个<Meta name="csrf-token" content="{{ csrf_token() }}">
。在每个ajax请求中,我还发送了X-CSRF-TOKEN
作为标题。此外,我不仅要检测401
,而且要检测419
,并尝试在发生这种情况时刷新csrf令牌。
一旦遇到,似乎没有任何解决办法,无法清除cookie,缓存等。当我重新启动Heroku测功机时,一切又恢复正常了。我还能够在本地复制(通过减少会话寿命),并且拦截,注销和登录顺序工作正常。因此,这是Heroku / config上的某种问题。此时欢迎任何想法!
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。