php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-11-23 10:09:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

for check

Browse Source
This commit is contained in:
Funson Lee
2014-11-11 09:13:00 +08:00
parent 70051e6432
commit 0e727dd917
1 changed files with 108 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
docs/guide-zh-CN/runtime-sessions-cookies.md
View File

@@ -1,9 +1,13 @@
Sessions and Cookies Sessions and Cookies
Sessions 和 Cookies
==================== ====================
Sessions and cookies allow data to be persisted across multiple user requests. In plain PHP, you may access them [译注Session中文翻译为会话Cookie有些翻译成小甜饼不贴切两个单词保留英文]Sessions and cookies allow data to be persisted across multiple user requests. In plain PHP, you may access them
through the global variables `$_SESSION` and `$_COOKIE`, respectively. Yii encapsulates sessions and cookies as objects through the global variables `$_SESSION` and `$_COOKIE`, respectively. Yii encapsulates sessions and cookies as objects
and thus allows you to access them in an object-oriented fashion with additional nice enhancements. and thus allows you to access them in an object-oriented fashion with additional nice enhancements.
[译注Session中文翻译为会话Cookie有些翻译成小甜饼不贴切两个单词保留英文] Sessions 和 cookies 允许数据在多次请求中保持,
在纯PHP中可以分别使用全局变量`$_SESSION``$_COOKIE` 来访问Yii将session和cookie封装成对象并增加一些功能
可通过面向对象方式访问它们。
## Sessions <a name="sessions"></a> ## Sessions <a name="sessions"></a>
@@ -11,60 +15,73 @@ and thus allows you to access them in an object-oriented fashion with additional
Like [requests](runtime-requests.md) and [responses](runtime-responses.md), you can get access to sessions via Like [requests](runtime-requests.md) and [responses](runtime-responses.md), you can get access to sessions via
the `session` [application component](structure-application-components.md) which is an instance of [[yii\web\Session]], the `session` [application component](structure-application-components.md) which is an instance of [[yii\web\Session]],
by default. by default.
和 [请求](runtime-requests.md) 和 [响应](runtime-responses.md)类似,
默认可通过为[[yii\web\Session]] 实例的`session` [应用组件](structure-application-components.md) 来访问sessions。
### Opening and Closing Sessions <a name="opening-closing-sessions"></a> ### Opening and Closing Sessions <a name="opening-closing-sessions"></a>
### 开启和关闭 Sessions <a name="opening-closing-sessions"></a>
To open and close a session, you can do the following: To open and close a session, you can do the following:
可使用以下代码来开启和关闭session。
```php ```php
$session = Yii::$app->session; $session = Yii::$app->session;
// check if a session is already open // 检查session是否开启
if ($session->isActive) ... if ($session->isActive) ...
// open a session // 开启session
$session->open(); $session->open();
// close a session // 关闭session
$session->close(); $session->close();
// destroys all data registered to a session. // 销毁session中所有已注册的数据
$session->destroy(); $session->destroy();
``` ```
You can call the [[yii\web\Session::open()|open()]] and [[yii\web\Session::close()|close()]] multiple times You can call the [[yii\web\Session::open()|open()]] and [[yii\web\Session::close()|close()]] multiple times
without causing errors. This is because internally the methods will first check if the session is already opened. without causing errors. This is because internally the methods will first check if the session is already opened.
多次调用[[yii\web\Session::open()|open()]] 和[[yii\web\Session::close()|close()]] 方法并不会产生错误,
因为方法内部会先检查session是否已经开启。
### Accessing Session Data <a name="access-session-data"></a> ### Accessing Session Data <a name="access-session-data"></a>
### 访问Session数据 <a name="access-session-data"></a>
To access the data stored in session, you can do the following: To access the data stored in session, you can do the following:
可使用如下方式访问session中的数据
```php ```php
$session = Yii::$app->session; $session = Yii::$app->session;
// get a session variable. The following usages are equivalent: // get a session variable. The following usages are equivalent:
// 获取session中的变量值以下用法是相同的
$language = $session->get('language'); $language = $session->get('language');
$language = $session['language']; $language = $session['language'];
$language = isset($_SESSION['language']) ? $_SESSION['language'] : null; $language = isset($_SESSION['language']) ? $_SESSION['language'] : null;
// set a session variable. The following usages are equivalent: // set a session variable. The following usages are equivalent:
// 设置一个session变量以下用法是相同的
$session->set('language', 'en-US'); $session->set('language', 'en-US');
$session['language'] = 'en-US'; $session['language'] = 'en-US';
$_SESSION['language'] = 'en-US'; $_SESSION['language'] = 'en-US';
// remove a session variable. The following usages are equivalent: // remove a session variable. The following usages are equivalent:
// 删除一个session变量以下用法是相同的
$session->remove('language'); $session->remove('language');
unset($session['language']); unset($session['language']);
unset($_SESSION['language']); unset($_SESSION['language']);
// check if a session variable exists. The following usages are equivalent: // check if a session variable exists. The following usages are equivalent:
// 检查session变量是否已存在以下用法是相同的
if ($session->has('language')) ... if ($session->has('language')) ...
if (isset($session['language'])) ... if (isset($session['language'])) ...
if (isset($_SESSION['language'])) ... if (isset($_SESSION['language'])) ...
// traverse all session variables. The following usages are equivalent: // traverse all session variables. The following usages are equivalent:
// 遍历所有session变量以下用法是相同的
foreach ($session as $name => $value) ... foreach ($session as $name => $value) ...
foreach ($_SESSION as $name => $value) ... foreach ($_SESSION as $name => $value) ...
``` ```
@@ -72,49 +89,59 @@ foreach ($_SESSION as $name => $value) ...
> Info: When you access session data through the `session` component, a session will be automatically opened > Info: When you access session data through the `session` component, a session will be automatically opened
if it has not been done so before. This is different from accessing session data through `$_SESSION`, which requires if it has not been done so before. This is different from accessing session data through `$_SESSION`, which requires
an explicit call of `session_start()`. an explicit call of `session_start()`.
> 补充: 当使用`session`组件访问session数据时候如果session没有开启会自动开启
这和通过`$_SESSION`不同,`$_SESSION`要求先执行`session_start()`
When working with session data that are arrays, the `session` component has a limitation which prevents you from When working with session data that are arrays, the `session` component has a limitation which prevents you from
directly modifying an array element. For example, directly modifying an array element. For example,
当session数据为数组时`session`组件会限制你直接修改数据中的单元项,例如:
```php ```php
$session = Yii::$app->session; $session = Yii::$app->session;
// the following code will NOT work // the following code will NOT work
// 如下代码不会生效
$session['captcha']['number'] = 5; $session['captcha']['number'] = 5;
$session['captcha']['lifetime'] = 3600; $session['captcha']['lifetime'] = 3600;
// the following code works: // the following code works:
// 如下代码会生效:
$session['captcha'] = [ $session['captcha'] = [
'number' => 5, 'number' => 5,
'lifetime' => 3600, 'lifetime' => 3600,
]; ];
// the following code also works: // 如下代码也会生效:
echo $session['captcha']['lifetime']; echo $session['captcha']['lifetime'];
``` ```
You can use one of the following workarounds to solve this problem: You can use one of the following workarounds to solve this problem:
可使用以下任意一个变通方法来解决这个问题:
```php ```php
$session = Yii::$app->session; $session = Yii::$app->session;
// directly use $_SESSION (make sure Yii::$app->session->open() has been called) // directly use $_SESSION (make sure Yii::$app->session->open() has been called)
// 直接使用$_SESSION (确保Yii::$app->session->open() 已经调用)
$_SESSION['captcha']['number'] = 5; $_SESSION['captcha']['number'] = 5;
$_SESSION['captcha']['lifetime'] = 3600; $_SESSION['captcha']['lifetime'] = 3600;
// get the whole array out first, modify it and then save it back // get the whole array out first, modify it and then save it back
// 先获取session数据到一个数组修改数组的值然后保存数组到session中
$captcha = $session['captcha']; $captcha = $session['captcha'];
$captcha['number'] = 5; $captcha['number'] = 5;
$captcha['lifetime'] = 3600; $captcha['lifetime'] = 3600;
$session['captcha'] = $captcha; $session['captcha'] = $captcha;
// use ArrayObject instead of array // use ArrayObject instead of array
// 使用ArrayObject 数组对象代替数组
$session['captcha'] = new \ArrayObject; $session['captcha'] = new \ArrayObject;
... ...
$session['captcha']['number'] = 5; $session['captcha']['number'] = 5;
$session['captcha']['lifetime'] = 3600; $session['captcha']['lifetime'] = 3600;
// store array data by keys with common prefix // store array data by keys with common prefix
// 使用带通用前缀的键来存储数组
$session['captcha.number'] = 5; $session['captcha.number'] = 5;
$session['captcha.lifetime'] = 3600; $session['captcha.lifetime'] = 3600;
``` ```
@@ -122,42 +149,56 @@ $session['captcha.lifetime'] = 3600;
For better performance and code readability, we recommend the last workaround. That is, instead of storing For better performance and code readability, we recommend the last workaround. That is, instead of storing
an array as a single session variable, you store each array element as a session variable which shares the same an array as a single session variable, you store each array element as a session variable which shares the same
key prefix with other array elements. key prefix with other array elements.
为更好的性能和可读性推荐最后一种方案也就是不用存储session变量为数组
而是将每个数组项变成有相同键前缀的session变量。
### Custom Session Storage <a name="custom-session-storage"></a> ### Custom Session Storage <a name="custom-session-storage"></a>
### 自定义Session存储 <a name="custom-session-storage"></a>
The default [[yii\web\Session]] class stores session data as files on the server. Yii also provides the following The default [[yii\web\Session]] class stores session data as files on the server. Yii also provides the following
session classes implementing different session storage: session classes implementing different session storage:
[[yii\web\Session]] 类默认存储session数据为文件到服务器上Yii提供以下session类实现不同的session存储方式
* [[yii\web\DbSession]]: stores session data in a database table. * [[yii\web\DbSession]]: stores session data in a database table.
* [[yii\web\CacheSession]]: stores session data in a cache with the help of a configured [cache component](caching-data.md#cache-components). * [[yii\web\CacheSession]]: stores session data in a cache with the help of a configured [cache component](caching-data.md#cache-components).
* [[yii\redis\Session]]: stores session data using [redis](http://redis.io/) as the storage medium. * [[yii\redis\Session]]: stores session data using [redis](http://redis.io/) as the storage medium.
* [[yii\mongodb\Session]]: stores session data in a [MongoDB](http://www.mongodb.org/). * [[yii\mongodb\Session]]: stores session data in a [MongoDB](http://www.mongodb.org/).
* [[yii\web\DbSession]]: 存储session数据在数据表中
* [[yii\web\CacheSession]]: 存储session数据到缓存中缓存和配置中的[缓存组件](caching-data.md#cache-components)相关
* [[yii\redis\Session]]: 存储session数据到以[redis](http://redis.io/) 作为存储媒介中
* [[yii\mongodb\Session]]: 存储session数据到[MongoDB](http://www.mongodb.org/).
All these session classes support the same set of API methods. As a result, you can switch to use a different All these session classes support the same set of API methods. As a result, you can switch to use a different
session storage without the need to modify your application code that uses session. session storage without the need to modify your application code that uses session.
所有这些session类支持相同的API方法集因此切换到不同的session存储介质不需要修改项目使用session的代码。
> Note: If you want to access session data via `$_SESSION` while using custom session storage, you must make > Note: If you want to access session data via `$_SESSION` while using custom session storage, you must make
sure that the session is already started by [[yii\web\Session::open()]]. This is because custom session storage sure that the session is already started by [[yii\web\Session::open()]]. This is because custom session storage
handlers are registered within this method. handlers are registered within this method.
> 注意: 如果通过`$_SESSION`访问使用自定义存储介质的session需要确保session已经用[[yii\web\Session::open()]] 开启,
这是因为在该方法中注册自定义session存储处理器。
To learn how to configure and use these component classes, please refer to their API documentation. Below is To learn how to configure and use these component classes, please refer to their API documentation. Below is
an example showing how to configure [[yii\web\DbSession]] in the application configuration to use database table an example showing how to configure [[yii\web\DbSession]] in the application configuration to use database table
as session storage: as session storage:
学习如何配置和使用这些组件类请参考它们的API文档如下为一个示例
显示如何在应用配置中配置[[yii\web\DbSession]]将数据表作为session存储介质。
```php ```php
return [ return [
'components' => [ 'components' => [
'session' => [ 'session' => [
'class' => 'yii\web\DbSession', 'class' => 'yii\web\DbSession',
// 'db' => 'mydb', // the application component ID of the DB connection. Defaults to 'db'. // 'db' => 'mydb', // 数据库连接的应用组件ID默认为'db'.
// 'sessionTable' => 'my_session', // session table name. Defaults to 'session'. // 'sessionTable' => 'my_session', // session 数据表名,默认为'session'.
], ],
], ],
]; ];
``` ```
You also need to create the following database table to store session data: You also need to create the following database table to store session data:
也需要创建如下数据库表来存储session数据
```sql ```sql
CREATE TABLE session CREATE TABLE session
@@ -168,15 +209,14 @@ CREATE TABLE session
) )
``` ```
where 'BLOB' refers to the BLOB-type of your preferred DBMS. Below are the BLOB type that can be used for some popular DBMS: 其中'BLOB' 对应你选择的数据库管理系统的BLOB-type类型以下一些常用数据库管理系统的BLOB类型
- MySQL: LONGBLOB - MySQL: LONGBLOB
- PostgreSQL: BYTEA - PostgreSQL: BYTEA
- MSSQL: BLOB - MSSQL: BLOB
> Note: According to the php.ini setting of `session.hash_function`, you may need to adjust > 注意: 根据php.ini 设置的 `session.hash_function`,你需要调整`id`列的长度,
the length of the `id` column. For example, if `session.hash_function=sha256`, you should use 例如,如果 `session.hash_function=sha256` 应使用长度为64而不是40的char类型。
length 64 instead of 40.
### Flash Data <a name="flash-data"></a> ### Flash Data <a name="flash-data"></a>
@@ -185,42 +225,49 @@ Flash data is a special kind of session data which, once set in one request, wil
the next request and will be automatically deleted afterwards. Flash data is most commonly used to implement the next request and will be automatically deleted afterwards. Flash data is most commonly used to implement
messages that should only be displayed to end users once, such as a confirmation message displayed after messages that should only be displayed to end users once, such as a confirmation message displayed after
a user successfully submits a form. a user successfully submits a form.
Flash数据是一种特别的session数据它一旦在某个请求中设置后只会在下次请求中有效然后该数据就会自动被删除。
常用于实现只需显示给终端用户一次的信息,如用户提交一个表单后显示确认信息。
You can set and access flash data through the `session` application component. For example, You can set and access flash data through the `session` application component. For example,
可通过`session`应用组件设置或访问`session`,例如:
```php ```php
$session = Yii::$app->session; $session = Yii::$app->session;
// Request #1 // 请求 #1
// set a flash message named as "postDeleted" // 设置一个名为"postDeleted" flash 信息
$session->setFlash('postDeleted', 'You have successfully deleted your post.'); $session->setFlash('postDeleted', 'You have successfully deleted your post.');
// Request #2 // 请求 #2
// display the flash message named "postDeleted" // 显示名为"postDeleted" flash 信息
echo $session->getFlash('postDeleted'); echo $session->getFlash('postDeleted');
// Request #3 // 请求 #3
// $result will be false since the flash message was automatically deleted // $result 为 false因为flash信息已被自动删除
$result = $session->hasFlash('postDeleted'); $result = $session->hasFlash('postDeleted');
``` ```
Like regular session data, you can store arbitrary data as flash data. Like regular session data, you can store arbitrary data as flash data.
和普通session数据类似可将任意数据存储为flash数据。
When you call [[yii\web\Session::setFlash()]], it will overwrite any existing flash data that has the same name. When you call [[yii\web\Session::setFlash()]], it will overwrite any existing flash data that has the same name.
To append new flash data to the existing one(s) of the same name, you may call [[yii\web\Session::addFlash()]] instead. To append new flash data to the existing one(s) of the same name, you may call [[yii\web\Session::addFlash()]] instead.
For example: For example:
当调用[[yii\web\Session::setFlash()]]时, 会自动覆盖相同名的已存在的任何数据,
为将数据追加到已存在的相同名flash中可改为调用[[yii\web\Session::addFlash()]]。
例如:
```php ```php
$session = Yii::$app->session; $session = Yii::$app->session;
// Request #1 // 请求 #1
// add a few flash messages under the name of "alerts" // 在名称为"alerts"的flash信息增加数据
$session->addFlash('alerts', 'You have successfully deleted your post.'); $session->addFlash('alerts', 'You have successfully deleted your post.');
$session->addFlash('alerts', 'You have successfully added a new friend.'); $session->addFlash('alerts', 'You have successfully added a new friend.');
$session->addFlash('alerts', 'You are promoted.'); $session->addFlash('alerts', 'You are promoted.');
// Request #2 // 请求 #2
// $alerts is an array of the flash messages under the name of "alerts" // $alerts 为名为'alerts'的flash信息为数组格式
$alerts = $session->getFlash('alerts'); $alerts = $session->getFlash('alerts');
``` ```
@@ -229,6 +276,10 @@ $alerts = $session->getFlash('alerts');
can append new flash data of the same name. As a result, when you call [[yii\web\Session::getFlash()]], you may can append new flash data of the same name. As a result, when you call [[yii\web\Session::getFlash()]], you may
find sometimes you are getting an array while sometimes you are getting a string, depending on the order of find sometimes you are getting an array while sometimes you are getting a string, depending on the order of
the invocation of these two methods. the invocation of these two methods.
> 注意: 不要在相同名称的flash数据中使用[[yii\web\Session::setFlash()]] 的同时也使用[[yii\web\Session::addFlash()]]
因为后一个防范会自动将flash信息转换为数组以使新的flash数据可追加进来因此
当你调用[[yii\web\Session::getFlash()]]时,会发现有时获取到一个数组,有时获取到一个字符串,
取决于你调用这两个方法的顺序。
## Cookies <a name="cookies"></a> ## Cookies <a name="cookies"></a>
@@ -237,84 +288,108 @@ Yii represents each cookie as an object of [[yii\web\Cookie]]. Both [[yii\web\Re
maintain a collection of cookies via the property named `cookies`. The cookie collection in the former represents maintain a collection of cookies via the property named `cookies`. The cookie collection in the former represents
the cookies submitted in a request, while the cookie collection in the latter represents the cookies that are to the cookies submitted in a request, while the cookie collection in the latter represents the cookies that are to
be sent to the user. be sent to the user.
Yii使用 [[yii\web\Cookie]]对象来代表每个cookie[[yii\web\Request]] 和 [[yii\web\Response]]
通过名为'cookies'的属性维护一个cookie集合前者的cookie 集合代表请求提交的cookies
后者的cookie集合表示发送给用户的cookies。
### Reading Cookies <a name="reading-cookies"></a> ### Reading Cookies <a name="reading-cookies"></a>
### 读取 Cookies <a name="reading-cookies"></a>
You can get the cookies in the current request using the following code: You can get the cookies in the current request using the following code:
当前请求的cookie信息可通过如下代码获取
```php ```php
// get the cookie collection (yii\web\CookieCollection) from "request" component // 从 "request"组件中获取cookie集合(yii\web\CookieCollection)
$cookies = Yii::$app->request->cookies; $cookies = Yii::$app->request->cookies;
// get the "language" cookie value. If the cookie does not exist, return "en" as the default value. // 获取名为 "language" cookie 的值,如果不存在,返回默认值"en"
$language = $cookies->getValue('language', 'en'); $language = $cookies->getValue('language', 'en');
// an alternative way of getting the "language" cookie value // 另一种方式获取名为 "language" cookie 的值
if (($cookie = $cookies->get('language')) !== null) { if (($cookie = $cookies->get('language')) !== null) {
$language = $cookie->value; $language = $cookie->value;
} }
// you may also use $cookies like an array // 可将 $cookies当作数组使用
if (isset($cookies['language'])) { if (isset($cookies['language'])) {
$language = $cookies['language']->value; $language = $cookies['language']->value;
} }
// check if there is a "language" cookie // 判断是否存在名为"language" cookie
if ($cookies->has('language')) ... if ($cookies->has('language')) ...
if (isset($cookies['language'])) ... if (isset($cookies['language'])) ...
``` ```
### Sending Cookies <a name="sending-cookies"></a> ### Sending Cookies <a name="sending-cookies"></a>
### 发送 Cookies <a name="sending-cookies"></a>
You can send cookies to end users using the following code: You can send cookies to end users using the following code:
可使用如下代码发送cookie到终端用户
```php ```php
// get the cookie collection (yii\web\CookieCollection) from "response" component // 从"response"组件中获取cookie 集合(yii\web\CookieCollection)
$cookies = Yii::$app->response->cookies; $cookies = Yii::$app->response->cookies;
// add a new cookie to the response to be sent // add a new cookie to the response to be sent
// 在要发送的响应中添加一个新的cookie
$cookies->add(new \yii\web\Cookie([ $cookies->add(new \yii\web\Cookie([
'name' => 'language', 'name' => 'language',
'value' => 'zh-CN', 'value' => 'zh-CN',
])); ]));
// remove a cookie // 删除一个cookie
$cookies->remove('language'); $cookies->remove('language');
// equivalent to the following // 等同于以下删除代码
unset($cookies['language']); unset($cookies['language']);
``` ```
Besides the [[yii\web\Cookie::name|name]], [[yii\web\Cookie::value|value]] properties shown in the above Besides the [[yii\web\Cookie::name|name]], [[yii\web\Cookie::value|value]] properties shown in the above
examples, the [[yii\web\Cookie]] class also defines other properties to fully represent all possible information examples, the [[yii\web\Cookie]] class also defines other properties to fully represent all possible information
of cookies, such as [[yii\web\Cookie::domain|domain]], [[yii\web\Cookie::expire|expire]]. You may configure these of cookies, such as [[yii\web\Cookie::domain|domain]], [[yii\web\Cookie::expire|expire]]. You may configure these
properties as needed to prepare a cookie and then add it to the response's cookie collection. properties as needed to prepare a cookie and then add it to the responses cookie collection.
除了上述例子定义的 [[yii\web\Cookie::name|name]] 和 [[yii\web\Cookie::value|value]] 属性
[[yii\web\Cookie]] 类也定义了其他属性来实现cookie的各种信息
[[yii\web\Cookie::domain|domain]], [[yii\web\Cookie::expire|expire]]
可配置这些属性到cookie中并添加到响应的cookie集合中。
> Note: For better security, the default value of [[yii\web\Cookie::httpOnly]] is set true. This helps mitigate > Note: For better security, the default value of [[yii\web\Cookie::httpOnly]] is set true. This helps mitigate
the risk of client side script accessing the protected cookie (if the browser supports it). You may read the risk of client side script accessing the protected cookie (if the browser supports it). You may read
the [httpOnly wiki article](https://www.owasp.org/index.php/HttpOnly) for more details. the [httpOnly wiki article](https://www.owasp.org/index.php/HttpOnly) for more details.
> 注意: 为安全起见[[yii\web\Cookie::httpOnly]] 被设置为true这可减少客户端脚本访问受保护cookie如果浏览器支持的风险
更多详情可阅读 [httpOnly wiki article](https://www.owasp.org/index.php/HttpOnly) for more details.
### Cookie Validation <a name="cookie-validation"></a> ### Cookie Validation <a name="cookie-validation"></a>
### Cookie验证 <a name="cookie-validation"></a>
When you are reading and sending cookies through the `request` and `response` components like shown in the last When you are reading and sending cookies through the `request` and `response` components like shown in the last
two subsections, you enjoy the added security of cookie validation which protects cookies from being modified two subsections, you enjoy the added security of cookie validation which protects cookies from being modified
on the client side. This is achieved by signing each cookie with a hash string, which allows the application to on the client side. This is achieved by signing each cookie with a hash string, which allows the application to
tell if a cookie is modified on the client side or not. If so, the cookie will NOT be accessible through the tell if a cookie is modified on the client side or not. If so, the cookie will NOT be accessible through the
[[yii\web\Request::cookies|cookie collection]] of the `request` component. [[yii\web\Request::cookies|cookie collection]] of the `request` component.
在上两节中,当通过`request``response` 组件读取和发送cookie时你会喜欢扩展的cookie验证的保障安全功能它能
使cookie不被客户端修改。该功能通过给每个cookie签发一个哈希字符串来告知服务端cookie是否在客户端被修改
如果被修改,通过`request`组件的[[yii\web\Request::cookies|cookie collection]]cookie集合访问不到该cookie。
> Note: Cookie validation only protects cookie values from being modified. If a cookie fails the validation, > Note: Cookie validation only protects cookie values from being modified. If a cookie fails the validation,
you may still access it through `$_COOKIE`. This is because third-party libraries may manipulate cookies you may still access it through `$_COOKIE`. This is because third-party libraries may manipulate cookies
in their own way, which does not involve cookie validation. in their own way, which does not involve cookie validation.
> 注意: Cookie验证只保护cookie值被修改如果一个cookie验证失败仍然可以通过`$_COOKIE`来访问该cookie
因为这是第三方库对未通过cookie验证自定义的操作方式。
Cookie validation is enabled by default. You can disable it by setting the [[yii\web\Request::enableCookieValidation]] Cookie validation is enabled by default. You can disable it by setting the [[yii\web\Request::enableCookieValidation]]
property to be false, although we strongly recommend you do not do so. property to be false, although we strongly recommend you do not do so.
Cookie验证默认启用可以设置[[yii\web\Request::enableCookieValidation]]属性为false来禁用它尽管如此我们强烈建议启用它。
> Note: Cookies that are directly read/sent via `$_COOKIE` and `setcookie()` will NOT be validated. > Note: Cookies that are directly read/sent via `$_COOKIE` and `setcookie()` will NOT be validated.
> 注意: 直接通过`$_COOKIE` 和 `setcookie()` 读取和发送的Cookie不会被验证。
When using cookie validation, you must specify a [[yii\web\Request::cookieValidationKey]] that will be used to generate When using cookie validation, you must specify a [[yii\web\Request::cookieValidationKey]] that will be used to generate
the aforementioned hash strings. You can do so by configuring the `request` component in the application configuration: the aforementioned hash strings. You can do so by configuring the `request` component in the application configuration:
当使用cookie验证必须指定[[yii\web\Request::cookieValidationKey]]它是用来生成s上述的哈希值
可通过在应用配置中配置`request` 组件。
```php ```php
return [ return [
@@ -328,3 +403,5 @@ return [
> Info: [[yii\web\Request::cookieValidationKey|cookieValidationKey]] is critical to your application's security. > Info: [[yii\web\Request::cookieValidationKey|cookieValidationKey]] is critical to your application's security.
It should only be known to people you trust. Do not store it in version control system. It should only be known to people you trust. Do not store it in version control system.
> 补充: [[yii\web\Request::cookieValidationKey|cookieValidationKey]] 对你的应用安全很重要,
应只被你信任的人知晓,请不要将它放入版本控制中。