Set and Check Cookie in the one response - Laravel

问题

I am attempting to set a cookie and then check to see if the cookie has been set.

So in one function, I have it make the cookies:

public function makeCookies(){
    Cookie::queue('logged_in', $value, 15);
    Cookie::queue('user_id', 2);
    //return Response::make()->withCookie(Cookie::make('logged_in', $value, 15))->withCookie(Cookie::forever('user_id', 2));
}

And in the other function, I try to check to see if the cookie has been set:

public function checkCookies(){
         $this->makeCookies();
         if(Cookie::get('logged_in') && Cookie::get('user_id')){
              return 'Logged In!';
         }
}

However the only way this works is if I add 'return' before $this->makeCookies(); However, I want to be able to get to the conditional below it. Is there any way I can go about doing this? Any help is greatly appreciated.

回答1:

To understand the Cookie Creation/Read process:

1. The user's browser sends a request for a page, along with any cookies that it currently has for the site
2. The site serves up the page, and any cookies you create become a header in your response.
3. Subsequent requests to your site will send the cookies created in #2.

What you are asking...to be able to read cookies that you create in step #2 in step #1...not possible.

Now, depending on how the Cookie class is created, you could make it so that when the Cookie::queue() is called, that it creates in-memory data that reflects what the cookie "should be" on the next request, but it doesn't truly know whether or not the user's browser will accept cookies, etc.

This is why many sites, after creating a cookie give the user a redirect to a page with something like ?checkCookie=1. This way, on the subsequent request, they can verify that your browser supports cookies...and if the cookie doesn't exist on the ?checkCookie page, they give you an error saying that their site requires cookie support. However, it does require a second round to the server to read cookies from the browser that were created.

UPDATE 2015-04-24 Per @Scopey, Laravel does support in-memory retrieval of cookies via queued(). So, you should be able to do:

public function checkCookies(){
    $this->makeCookies();
    $loggedIn = Cookie::get('logged_in') ?: Cookie::queued('logged_in');
    $userId   = Cookie::get('user_id') ?: Cookie::queued('user_id');
    if( $loggedIn && $userId ){
        return 'Logged In!';
    }
}

SECURITY CONCERNS (NOT DIRECTLY ANSWERING THE QUESTION)

Your question was only about the cookies, so that's all I answered. However, now that I'm looking at your code, I feel I would be remiss not to point this out for anyone that happens to be reading this. This may just be a "how to" for yourself and not production code, but that code could be very dangerous if it ever went public.

Make sure you do NOT TRUST a user_id stored in a cookie to determine what user is coming in via cookies. If you rely on that, and I come to your site, I can modify my cookie to any user_id I want and get into other people's accounts.

General Safety Rules:

A cookie should contain a GUID, or similar random string to identify the session. This random string should be sufficiently long (e.g. 32 characters or greater, IMHO) that it is not easy for someone to brute-force their way to hijacking sessions.

The user_id should be stored in the $_SESSION (or laravel's wrapper for session if applicable) so that the user doesn't have any access to the user_id to be able to modify it.

In plain PHP, this something like this for the login page:

session_start();
if( isValidPassword($_POST['username'], $_POST['password']) ) {
    $_SESSION['user_id'] = $user->Id;
}
else {
    die('invalid login credentials');
}

The session_start() method automatically generates a cookie for the user with that long, random string (so you don't even have to worry about that part.)

On subsequent pages, you just check the session user_id to know who is logged in:

session_start();
if( empty($_SESSION['user_id']) ) {
    die('You are not logged in and cannot access this page');
}

Change as needed per Laravel's documentation, which if they have their own session wrapper, I'm sure is well documented on best practices.

回答2:

Excellent description by @KevinNelson about cookies but Laravel does support fetching back any cookies you have queued in the current request. Try using

Cookie::queued('logged_in');

The catch is, the cookie will only be "queued" during the request that you queued it. You will have to use get like you are for any other requests.

来源：https://stackoverflow.com/questions/29836332/set-and-check-cookie-in-the-one-response-laravel