1.新建存放用户登录口令token的表,并生成model
CREATE TABLE IF NOT EXISTS `tbl_admin_session` (
`session_id` int(11) NOT NULL AUTO_INCREMENT,
`id` int(11) NOT NULL,
`session_token` varchar(56) NOT NULL,
PRIMARY KEY (`session_id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
然后在模型login中添加方法:
public function insertSession($id,$sessionToken)
{
$loginAdmin = AdminSession::findOne(['id' => $id]); //查询admin_session表中是否有用户的登录记录
if(!$loginAdmin){ //如果没有记录则新建此记录
$sessionModel = new AdminSession();
$sessionModel->id = $id;
$sessionModel->session_token = $sessionToken;
$result = $sessionModel->save();
}else{ //如果存在记录(则说明用户之前登录过)则更新用户登录token
$loginAdmin->session_token = $sessionToken;
$result = $loginAdmin->update();
}
return $result;
}
2.SiteController中的actionLogin操作中生成token,分别存入tbl_admin_session表和session变量中,
public function actionLogin()
{
if (!\Yii::$app->user->isGuest) {
return $this->goHome();
}
$model = new LoginForm();
if ($model->load(Yii::$app->request->post()) && $model->login()) {
//使用session和表tbl_admin_session记录登录账号的token:time&id&ip,并进行MD5加密
$id = Yii::$app->user->id; //登录用户的ID
$username = Yii::$app->user->identity->username;; //登录账号
$ip = Yii::$app->request->userIP; //登录用户主机IP
$token = md5(sprintf("%s&%s&%s",time(),$id,$ip)); //将用户登录时的时间、用户ID和IP联合加密成token存入表
$session = Yii::$app->session;
$session->set(md5(sprintf("%s&%s",$id,$username)),$token); //将token存到session变量中
//存session token值没必要取键名为$id&$username ,目的是标识用户登录token的键,$id或$username就可以
$model->insertSession($id,$token);//将token存到tbl_admin_session
return $this->goBack();
} else {
return $this->render('login', [
'model' => $model,
]);
}
}
3.新建访问过滤器
<?php
/**
* Created by PhpStorm.
* User: jiangyan
* Date: 2016-05-18
* Time: 17:22
*/
namespace backend\libs;
use backend\models\AdminSession;
use Yii;
use yii\base\ActionFilter;
use yii\web\UnauthorizedHttpException;
class CheckerFilter extends ActionFilter
{
public function beforeAction($action)
{
//rbac访问控制
$controllerID = Yii::$app->controller->id;
$actionID = $action->id;
$permissionName = $controllerID . '/' . $actionID;
//登录 所有操作都虚经过过滤器控制输出
if(!Yii::$app->user->isGuest && $actionID != 'logout')
{
$id = Yii::$app->user->id;
$session = Yii::$app->session;
$username = Yii::$app->user->identity->username;
$tokenSES = $session->get(md5(sprintf("%s&%s",$id,$username))); //取出session中的用户登录token
$sessionTBL = AdminSession::findOne(['id' => $id]);
$tokenTBL = $sessionTBL->session_token;
if($tokenSES != $tokenTBL) //如果用户登录在 session中token不同于数据表中token
{
Yii::$app->user->logout(); //执行登出操作
Yii::$app->run();
}
}
return parent::beforeAction($action);
}
}
4.在每个控制器中添加访问过滤器
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index'],
'allow' => true,
'roles' => ['@'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
'checker' => [
'class' => 'backend\libs\CheckerFilter',
],
/* 'myCheck' => [
'class' => 'backend\libs\MyCheckFilter'
],*/
];
}