Laravel: What is “remember_token” in the “users” D

2019-03-09 09:25发布

问题:

Is it safe to use the remember_token in the users table for authenticating the user into the application?

What is the purpose of this token? Currently, I'm using it in forms to check whether the user is logged in - if the token is not present, I show the login screen. Each time the user logs out, this token is regenerated.

回答1:

No. It's not supposed to be used to authenticate. It's used by the framework to help against Remember Me cookie hijacking. The value is refreshed upon login and logout. If a cookie is hijacked by a malicious person, logging out makes the hijacked cookie useless since it doesn't match anymore.

Refer to this documentation:

https://laravel.com/docs/upgrade#upgrade-4.1.26



回答2:

I had to add the remember_token to my users table migration in order for Auth::logout() to work properly.

Added remember_token to my migrations as such.

<?php

use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;

class CreateUsersTable extends Migration {

    /**
     * Run the migrations.
     *
     * @return void
     */
    public function up()
    {
        //
        Schema::create('users', function(Blueprint $table)
        {
            $table->increments('id');
            $table->string('lname', 32);
            $table->string('fname', 32);
            $table->string('username', 32);
            $table->string('email', 320);
            $table->string('remember_token', 100);
            $table->string('password', 64);

            $table->timestamps();
        });
    }

    /**
     * Reverse the migrations.
     *
     * @return void
     */
    public function down()
    {
        //
        Schema::drop('users');

    }

}

From the command-line you the have to drop the users table, then migrate/seed.



回答3:

Even if this an old question, I wanted to present an option not use the token if you don't need it (e.g. have no remember me option on your site).

Instead of adding a dummy column to your users table you can just prevent Auth::logout() from setting it.

Just add this to your User model (works as of Laravel 5.6):

public function save(array $options = array()) {
    if(isset($this->remember_token))
        unset($this->remember_token);

    return parent::save($options);
}

This removes the 'remember_token' column just before the model gets saved and thus preventing an error to be risen because of the non-existant column.



回答4:

Laravel provides a CSRF token in a hidden input it automatically adds and validates whenever a form is submitted, whether you're logged in or not. If you're using their Form builder, this is happening without you even needing to check on it.

You should check if the user is logged in on submission using the Auth facade.