记一次Laravel设置Session不生效问题的排查过程
过程略无聊,想看答案的直接到底部
背景
一个朋友刚入职,从生产down了份代码下来,一顿操作傻了,本地装软件要发邮件申请,随即噼里啪啦又一顿操作,vm+Linux+PHP7+Apache搭起来了,发现打开会默认重定向到Https(中间件会根据配置强制跳转,这里记一下),捣腾一顿后终于好了,然后发现Session及Cookie不生效 ······
一路向底
朋友几天前跟我说了这个问题,我一贯的吐槽他Bug体质,整啥啥出问题。让他按顺序检查session配置、原生使用是否正常、环境是否正常、裸文件是否正常。
中间过程欢乐,一路嘲讽,还是没找到原因,叨bi这么久,我知道该干活了
拉起代码就是一把梭,折腾一会跑起来后,测试原生ok,使用框架方式调用,死活不生效,有点懵圈,这框架也不是太熟啊,但前边bibi这么久,还是跟着走了一遍
测试代码
public function index(Request $request)
{
//ini_set('date.timezone', 'PRC');
var_dump($request->cookie('ces'));
var_dump($request->session()->all());
setcookie('ces',1115,time()+86400,'/');
$request->session()->put('k1', 555);
$request->session()->save();
//var_dump(Session::get('t2'));
Session::put('t2', 1000);
Session::save();
Session::get('t2');
}
config\session的配置,本地使用文件存储,cookie名称为laravel_session
...
'driver' => env('SESSION_DRIVER', 'file'),
'files' => storage_path('framework/sessions'),
'cookie' => 'laravel_session',
...
往下跟,查看session的设置方式
// 代码文件 Session/Store.php
public function save()
{
$this->addBagDataToSession();
$this->ageFlashData();
$this->handler->write($this->getId(), $this->prepareForStorage(serialize($this->attributes)));
$this->started = false;
}
往里走就是 FileSessionHandler.php
/**
* {@inheritdoc}
*/
public function write($sessionId, $data)
{
$this->files->put($this->path.'/'.$sessionId, $data, true);
}
发现文件是写了,但每次$sessionId都不同,这没道理啊,看了一把Response Header,有点懵,这不有的嘛,其实看这里,熟悉的老哥应该知道啥问题了,但此前没深入了解过,所以没立马发现,反正我瞅的是过期时间不对,这货咋提前了8个钟
Set-Cookie: laravel_session=eyJpdiI6IkZJZGVqc25RRDBNa1hRWUlJUFpwSGc9PSIsInZhbHVlIjoiXC9pWTVuNjI3XC9KQlwveWptVzBrUzlGN0RBRk9RdG1SQXd0MHNTQ1BtdFhWeSszcEFkbzhqS2h0M04xTHpUT2N0Yml6NUNEamozQmlnUDNhY01GMlgyb3c9PSIsIm1hYyI6IjMzMTMzNThkZDUzODUwMDY5MGQxNWY5NzlmYWZlMzRjZGNjNGRhOTUzNGFhNDk3ODM1NjQ4YzI1OWUyZWM4YTIifQ%3D%3D; expires=Mon, 24-Jun-2019 12:16:13 GMT; Max-Age=7200; path=/; secure; HttpOnly
开始找时区的问题,config\App.php的配置
...
'timezone' => 'Asia/Shanghai',
...
这也没问题啊,搓了一把date('Y-m-d H:i:s')。嗯,没毛病
接下来找cookie在哪设置的,找了一圈,估计是在输出Response时写入的,但是具体在哪又不清楚,于是又一把搜,来到EncryptCookies.php,一顿debug,来到EncryptCookies->encrypt()
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
return $this->encrypt($next($this->decrypt($request)));
}
/**
* Decrypt the cookies on the request.
*
* @param \Symfony\Component\HttpFoundation\Request $request
* @return \Symfony\Component\HttpFoundation\Request
*/
protected function decrypt(Request $request)
{
foreach ($request->cookies as $key => $c) {
if ($this->isDisabled($key)) {
continue;
}
try {
$request->cookies->set($key, $this->decryptCookie($c));
} catch (DecryptException $e) {
$request->cookies->set($key, null);
}
}
return $request;
}
/**
* Encrypt the cookies on an outgoing response.
*
* @param \Symfony\Component\HttpFoundation\Response $response
* @return \Symfony\Component\HttpFoundation\Response
*/
protected function encrypt(Response $response)
{
foreach ($response->headers->getCookies() as $cookie) {
if ($this->isDisabled($cookie->getName())) {
continue;
}
$response->headers->setCookie($this->duplicate(
$cookie, $this->encrypter->encrypt($cookie->getValue())
));
}
return $response;
}
打印一通后发现,都没毛病,时间域名啊都是对的
懵圈中,再次来到土方法,打个原生cookie对比下,发现慢8个钟是因为GMT时间,但是原生的是生效了,看着secure; HttpOnly,就这不大对,搜一把再说
Set-Cookie: test=1115; expires=Tue, 25-Jun-2019 10:16:13 GMT; Max-Age=86400; path=/
Set-Cookie: laravel_session=eyJpdiI6IkZJZGVqc25RRDBNa1hRWUlJUFpwSGc9PSIsInZhbHVlIjoiXC9pWTVuNjI3XC9KQlwveWptVzBrUzlGN0RBRk9RdG1SQXd0MHNTQ1BtdFhWeSszcEFkbzhqS2h0M04xTHpUT2N0Yml6NUNEamozQmlnUDNhY01GMlgyb3c9PSIsIm1hYyI6IjMzMTMzNThkZDUzODUwMDY5MGQxNWY5NzlmYWZlMzRjZGNjNGRhOTUzNGFhNDk3ODM1NjQ4YzI1OWUyZWM4YTIifQ%3D%3D; expires=Mon, 24-Jun-2019 12:16:13 GMT; Max-Age=7200; path=/; secure; HttpOnly
好了,谜题在此揭开 Session Cookie的HttpOnly和secure属性,底子不够,瞎查了一通,总之,长知识了
因为本地环境是http所以把session.php的secure和http_only配置改了后,ok搞定收工
