提升登录SESSION安全性

2025-11-04 16:00:24 +08:00 · 2024-03-18 12:43:13 +08:00
parent 45f441ccc0
commit 1f70280503
3 changed files with 40 additions and 28 deletions
--- a/internal/db/models/login_session_dao.go
+++ b/internal/db/models/login_session_dao.go
@@ -135,40 +135,16 @@ func (this *LoginSessionDAO) WriteSessionValue(tx *dbs.Tx, sid string, key strin
 		sessionOp.UserId = userId

 		if isNewSession {
-			// 删除此用户之前创建的SESSION，防止单个用户SESSION过多
-			// TODO 将来改成按照活跃时间排序
-			const maxSessionsPerUser = 10
-			oldOnes, err := this.Query(tx).
+			// 删除此用户之前创建的SESSION，不再保存以往的SESSION，避免安全问题
+			err = this.Query(tx).
 				ResultPk().
 				Attr("adminId", adminId).
 				Attr("userId", userId).
-				Asc("createdAt").
-				FindAll()
+				Neq("sid", sid).
+				DeleteQuickly()
 			if err != nil {
 				return err
 			}
-			var countOldOnes = len(oldOnes)
-			if countOldOnes > maxSessionsPerUser {
-				var countDeleted int
-				for _, oldOne := range oldOnes {
-					var oldSessionId = int64(oldOne.(*LoginSession).Id)
-					if oldSessionId == sessionId {
-						continue
-					}
-
-					if countDeleted < countOldOnes-maxSessionsPerUser {
-						err = this.Query(tx).
-							Pk(oldSessionId).
-							DeleteQuickly()
-						if err != nil {
-							return err
-						}
-						countDeleted++
-					} else {
-						break
-					}
-				}
-			}
 		}
 	}

--- a/internal/setup/sql_upgrade.go
+++ b/internal/setup/sql_upgrade.go
@@ -106,6 +106,9 @@ var upgradeFuncs = []*upgradeVersion{
 	{
 		"1.3.2", upgradeV1_3_2,
 	},
+	{
+		"1.3.4", upgradeV1_3_4,
+	},
 }

 // UpgradeSQLData 升级SQL数据
@@ -1230,3 +1233,13 @@ func upgradeV1_3_2(db *dbs.DB) error {

 	return nil
 }
+
+// 1.3.4
+func upgradeV1_3_4(db *dbs.DB) error {
+	_, err := db.Exec("DELETE FROM edgeLoginSessions WHERE adminId>0")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/internal/setup/sql_upgrade_ext_test.go
+++ b/internal/setup/sql_upgrade_ext_test.go
@@ -27,3 +27,26 @@ func TestUpgradeSQLData_v0_5_6(t *testing.T) {
 	}
 	t.Log("ok")
 }
+
+
+func TestUpgradeSQLData_v1_3_4(t *testing.T) {
+	db, err := dbs.NewInstanceFromConfig(&dbs.DBConfig{
+		Driver: "mysql",
+		Dsn:    "root:123456@tcp(127.0.0.1:3306)/db_edge?charset=utf8mb4&timeout=30s",
+		Prefix: "edge",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		_ = db.Close()
+	}()
+
+	err = upgradeV1_3_4(db)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log("ok")
+}
+
+