Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Y
yii2
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
PSDI Army
yii2
Commits
3b3d5c8c
Commit
3b3d5c8c
authored
Nov 21, 2014
by
Alexander Makarov
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #6140 from cdvrooman/patch-10
[skip ci] Update runtime-sessions-cookies.md
parents
91c07168
5642d98a
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
23 additions
and
23 deletions
+23
-23
runtime-sessions-cookies.md
docs/guide/runtime-sessions-cookies.md
+23
-23
No files found.
docs/guide/runtime-sessions-cookies.md
View file @
3b3d5c8c
Sessions and Cookies
Sessions and Cookies
====================
====================
Sessions and cookies allow data to be persisted across multiple user requests. In plain PHP
,
you may access them
Sessions and cookies allow data to be persisted across multiple user requests. In plain PHP you may access them
through the global variables
`$_SESSION`
and
`$_COOKIE`
, respectively. Yii encapsulates sessions and cookies as objects
through the global variables
`$_SESSION`
and
`$_COOKIE`
, respectively. Yii encapsulates sessions and cookies as objects
and thus allows you to access them in an object-oriented fashion with additional
nice
enhancements.
and thus allows you to access them in an object-oriented fashion with additional
useful
enhancements.
## Sessions <a name="sessions"></a>
## Sessions <a name="sessions"></a>
...
@@ -33,8 +33,8 @@ $session->close();
...
@@ -33,8 +33,8 @@ $session->close();
$session
->
destroy
();
$session
->
destroy
();
```
```
You can call
the
[
[yii\web\Session::open()|open()
]
] and
[
[yii\web\Session::close()|close()
]
] multiple times
You can call
[
[yii\web\Session::open()|open()
]
] and
[
[yii\web\Session::close()|close()
]
] multiple times
without causing errors
. This is because internally the methods will first check if the session is already opened
.
without causing errors
; internally the methods will first check if the session is already open
.
### Accessing Session Data <a name="access-session-data"></a>
### Accessing Session Data <a name="access-session-data"></a>
...
@@ -102,7 +102,7 @@ $session = Yii::$app->session;
...
@@ -102,7 +102,7 @@ $session = Yii::$app->session;
$_SESSION
[
'captcha'
][
'number'
]
=
5
;
$_SESSION
[
'captcha'
][
'number'
]
=
5
;
$_SESSION
[
'captcha'
][
'lifetime'
]
=
3600
;
$_SESSION
[
'captcha'
][
'lifetime'
]
=
3600
;
// get the whole array
out
first, modify it and then save it back
// get the whole array first, modify it and then save it back
$captcha
=
$session
[
'captcha'
];
$captcha
=
$session
[
'captcha'
];
$captcha
[
'number'
]
=
5
;
$captcha
[
'number'
]
=
5
;
$captcha
[
'lifetime'
]
=
3600
;
$captcha
[
'lifetime'
]
=
3600
;
...
@@ -114,7 +114,7 @@ $session['captcha'] = new \ArrayObject;
...
@@ -114,7 +114,7 @@ $session['captcha'] = new \ArrayObject;
$session
[
'captcha'
][
'number'
]
=
5
;
$session
[
'captcha'
][
'number'
]
=
5
;
$session
[
'captcha'
][
'lifetime'
]
=
3600
;
$session
[
'captcha'
][
'lifetime'
]
=
3600
;
// store array data by keys with common prefix
// store array data by keys with
a
common prefix
$session
[
'captcha.number'
]
=
5
;
$session
[
'captcha.number'
]
=
5
;
$session
[
'captcha.lifetime'
]
=
3600
;
$session
[
'captcha.lifetime'
]
=
3600
;
```
```
...
@@ -134,16 +134,16 @@ session classes implementing different session storage:
...
@@ -134,16 +134,16 @@ session classes implementing different session storage:
*
[
[yii\redis\Session
]
]: stores session data using
[
redis
](
http://redis.io/
)
as the storage medium.
*
[
[yii\redis\Session
]
]: stores session data using
[
redis
](
http://redis.io/
)
as the storage medium.
*
[
[yii\mongodb\Session
]
]: stores session data in a
[
MongoDB
](
http://www.mongodb.org/
)
.
*
[
[yii\mongodb\Session
]
]: stores session data in a
[
MongoDB
](
http://www.mongodb.org/
)
.
All these session classes support the same set of API methods. As a result, you can switch to
use
a different
All these session classes support the same set of API methods. As a result, you can switch to a different
session storage
without the need to modify your application code that uses session
.
session storage
class without the need to modify your application code that uses sessions
.
> Note: If you want to access session data via `$_SESSION` while using custom session storage, you must make
> Note: If you want to access session data via `$_SESSION` while using custom session storage, you must make
sure that the session
is already
started by
[
[yii\web\Session::open()
]
]. This is because custom session storage
sure that the session
has already been
started by
[
[yii\web\Session::open()
]
]. This is because custom session storage
handlers are registered within this method.
handlers are registered within this method.
To learn how to configure and use these component classes, please refer to their API documentation. Below is
To learn how to configure and use these component classes, please refer to their API documentation. Below is
an example showing how to configure
[
[yii\web\DbSession
]
] in the application configuration to use database table
an example showing how to configure
[
[yii\web\DbSession
]
] in the application configuration to use
a
database table
as
session storage:
for
session storage:
```
php
```
php
return
[
return
[
...
@@ -168,14 +168,14 @@ CREATE TABLE session
...
@@ -168,14 +168,14 @@ CREATE TABLE session
)
)
```
```
where 'BLOB' refers to the BLOB-type of your preferred DBMS. Below are the BLOB type that can be used for some popular DBMS:
where 'BLOB' refers to the BLOB-type of your preferred DBMS. Below are the BLOB type
s
that can be used for some popular DBMS:
-
MySQL: LONGBLOB
-
MySQL: LONGBLOB
-
PostgreSQL: BYTEA
-
PostgreSQL: BYTEA
-
MSSQL: BLOB
-
MSSQL: BLOB
> Note: According to the php.ini setting of `session.hash_function`, you may need to adjust
> Note: According to the php.ini setting of `session.hash_function`, you may need to adjust
the length of the
`id`
column. For example, if
`session.hash_function=sha256`
, you should use
the length of the
`id`
column. For example, if
`session.hash_function=sha256`
, you should use
a
length 64 instead of 40.
length 64 instead of 40.
...
@@ -207,7 +207,7 @@ $result = $session->hasFlash('postDeleted');
...
@@ -207,7 +207,7 @@ $result = $session->hasFlash('postDeleted');
Like regular session data, you can store arbitrary data as flash data.
Like regular session data, you can store arbitrary data as flash data.
When you call
[
[yii\web\Session::setFlash()
]
], it will overwrite any existing flash data that has the same name.
When you call
[
[yii\web\Session::setFlash()
]
], it will overwrite any existing flash data that has the same name.
To append new flash data to
the existing one(s)
of the same name, you may call
[
[yii\web\Session::addFlash()
]
] instead.
To append new flash data to
an existing message
of the same name, you may call
[
[yii\web\Session::addFlash()
]
] instead.
For example:
For example:
```
php
```
php
...
@@ -244,7 +244,7 @@ be sent to the user.
...
@@ -244,7 +244,7 @@ be sent to the user.
You can get the cookies in the current request using the following code:
You can get the cookies in the current request using the following code:
```
php
```
php
// get the cookie collection (yii\web\CookieCollection) from "request" component
// get the cookie collection (yii\web\CookieCollection) from
the
"request" component
$cookies
=
Yii
::
$app
->
request
->
cookies
;
$cookies
=
Yii
::
$app
->
request
->
cookies
;
// get the "language" cookie value. If the cookie does not exist, return "en" as the default value.
// get the "language" cookie value. If the cookie does not exist, return "en" as the default value.
...
@@ -271,7 +271,7 @@ if (isset($cookies['language'])) ...
...
@@ -271,7 +271,7 @@ if (isset($cookies['language'])) ...
You can send cookies to end users using the following code:
You can send cookies to end users using the following code:
```
php
```
php
// get the cookie collection (yii\web\CookieCollection) from "response" component
// get the cookie collection (yii\web\CookieCollection) from
the
"response" component
$cookies
=
Yii
::
$app
->
response
->
cookies
;
$cookies
=
Yii
::
$app
->
response
->
cookies
;
// add a new cookie to the response to be sent
// add a new cookie to the response to be sent
...
@@ -287,21 +287,21 @@ unset($cookies['language']);
...
@@ -287,21 +287,21 @@ unset($cookies['language']);
```
```
Besides the
[
[yii\web\Cookie::name|name
]
],
[
[yii\web\Cookie::value|value
]
] properties shown in the above
Besides the
[
[yii\web\Cookie::name|name
]
],
[
[yii\web\Cookie::value|value
]
] properties shown in the above
examples, the
[
[yii\web\Cookie
]
] class also defines other properties to fully represent all
possible information
examples, the
[
[yii\web\Cookie
]
] class also defines other properties to fully represent all
available cookie
of cookies
, such as
[
[yii\web\Cookie::domain|domain
]
],
[
[yii\web\Cookie::expire|expire
]
]. You may configure these
information
, such as
[
[yii\web\Cookie::domain|domain
]
],
[
[yii\web\Cookie::expire|expire
]
]. You may configure these
properties as needed to prepare a cookie and then add it to the response's cookie collection.
properties as needed to prepare a cookie and then add it to the response's cookie collection.
> Note: For better security, the default value of [[yii\web\Cookie::httpOnly]] is set true. This helps mitigate
> Note: For better security, the default value of [[yii\web\Cookie::httpOnly]] is set t
o t
rue. This helps mitigate
the risk of client side script accessing the protected cookie (if the browser supports it). You may read
the risk of
a
client side script accessing the protected cookie (if the browser supports it). You may read
the
[
httpOnly wiki article
](
https://www.owasp.org/index.php/HttpOnly
)
for more details.
the
[
httpOnly wiki article
](
https://www.owasp.org/index.php/HttpOnly
)
for more details.
### Cookie Validation <a name="cookie-validation"></a>
### Cookie Validation <a name="cookie-validation"></a>
When you are reading and sending cookies through the
`request`
and
`response`
components
like
shown in the last
When you are reading and sending cookies through the
`request`
and
`response`
components
as
shown in the last
two subsections, you enjoy the added security of cookie validation which protects cookies from being modified
two subsections, you enjoy the added security of cookie validation which protects cookies from being modified
on the client side. This is achieved by signing each cookie with a hash string, which allows the application to
on the client side. This is achieved by signing each cookie with a hash string, which allows the application to
tell if a cookie
is modified on the client side or not
. If so, the cookie will NOT be accessible through the
tell if a cookie
has been modified on the client side
. If so, the cookie will NOT be accessible through the
[
[yii\web\Request::cookies|cookie collection
]
] of the
`request`
component.
[
[yii\web\Request::cookies|cookie collection
]
] of the
`request`
component.
> Note: Cookie validation only protects cookie values from being modified. If a cookie fails the validation,
> Note: Cookie validation only protects cookie values from being modified. If a cookie fails the validation,
...
@@ -327,4 +327,4 @@ return [
...
@@ -327,4 +327,4 @@ return [
```
```
> Info: [[yii\web\Request::cookieValidationKey|cookieValidationKey]] is critical to your application's security.
> Info: [[yii\web\Request::cookieValidationKey|cookieValidationKey]] is critical to your application's security.
It should only be known to people you trust. Do not store it in version control system.
It should only be known to people you trust. Do not store it in
the
version control system.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment