refactor(Session): Add Session Format Docs

record login ip information in session string without hit redis cache (Which may lost).
Rhilip · Jun 5, 2019 · a2a1ce1 · a2a1ce1
1 parent c556644
commit a2a1ce1
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 10 deletions.
diff --git a/apps/middleware/AuthByCookiesMiddleware.php b/apps/middleware/AuthByCookiesMiddleware.php
@@ -41,8 +41,10 @@ public function handle($callable, \Closure $next)
              */
             $userSessionId = app()->request->cookie(Constant::cookie_name);
             if (substr($userSessionId, 0, 1) === '1') {
-                $record_ip = app()->redis->hGet('Site:Sessions:secure', $userSessionId);
-                if (app()->request->getClientIp() !== $record_ip) {  // The Ip isn't matched
+                $record_ip_crc = substr($userSessionId, 2, 8);
+                $this_ip_crc = sprintf('%08x',crc32(app()->request->getClientIp()));
+
+                if (strcasecmp($record_ip_crc,$this_ip_crc) !== 0) {  // The Ip isn't matched
                     app()->cookie->delete(Constant::cookie_name);
                     return app()->response->redirect('/auth/login');
                 }

diff --git a/apps/models/form/UserLoginForm.php b/apps/models/form/UserLoginForm.php
@@ -130,10 +130,23 @@ public function createUserSession()
 
         $exist_session_count = app()->redis->zCount($this->sessionSaveKey, $userId, $userId);
         if ($exist_session_count < app()->config->get('base.max_per_user_session')) {
+            /**
+             * SessionId Format:
+             *      /^(?P<secure_login_flag>[01])\$(?P<ip_or_random_crc>[a-z0-9]{8})\$\w+$/
+             * The first character of sessionId is the Flag of secure login,
+             * if secure login, The second param is the sprintf('%08x',crc32($id))
+             *            else, Another random string with length 8
+             * The prefix of sessionId is in lowercase
+             *
+             */
+            if ($this->securelogin === 'yes') {
+                $sid_prefix = '1$' . sprintf('%08x',crc32(app()->request->getClientIp())) . '$';
+            } else {
+                $sid_prefix = '0$' . StringHelper::getRandomString(8) . '$';
+            }
+            $sid_prefix = strtolower($sid_prefix);
             do { // To make sure this session is unique !
-                // The first character of sessionId is the Flag of secure login
-                $userSessionId = StringHelper::getRandomString($this->sessionLength - 1);
-                $userSessionId = ($this->securelogin === 'yes' ? '1' : '0') . $userSessionId;
+                $userSessionId = $sid_prefix . StringHelper::getRandomString($this->sessionLength - strlen($sid_prefix));
 
                 $count = app()->pdo->createCommand('SELECT COUNT(`id`) FROM `user_session_log` WHERE sid = :sid')->bindParams([
                     'sid' => $userSessionId
@@ -151,11 +164,6 @@ public function createUserSession()
             // Add this session id in Redis Cache
             app()->redis->zAdd($this->sessionSaveKey, $userId, $userSessionId);
 
-            // Add IP linked
-            if ($this->securelogin === 'yes') {
-                app()->redis->hSet('Site:Sessions:secure', $userSessionId, app()->request->getClientIp());
-            }
-
             // Set User Cookie
             $cookieExpire = $this->cookieExpires;
             if ($this->logout === 'yes') {