使用Cookie记住我时的安全性 [英] Security when using Cookies to Remember Me

问题描述

我已经在PHP中实现了一个登录类，并希望创建一个记住我类型的功能，这样用户就不必每次访问都能登录。我已经对此进行了一些研究，并准备使用PHP setcookie（...）编写它，但之后又浏览了这个页面：如何使用jquery创建'Remember Me'，存储cookie 。我打算用PHP写这个，因为这是我的力量，但是这个页面让它看起来很简单： http://www.quirksmode.org/js/cookies.html

I have implemented a login class in PHP, and want to create a remember me type functionality so users won't have to login with each visit. I have researched this a bit and was preparing to write it using PHP setcookie(...) but then ran across this page: How to Create 'Remember Me' using jquery , store cookies. I was planning on writing this in PHP since it's my strength, but this page makes it look so easy in js: http://www.quirksmode.org/js/cookies.html

我正在寻找关于 gotchas的一点指导对于每种方法，更具体地说是与安全性相关的问题。我只是想通过提供这种类型的功能来确保我不会使任务复杂化或打开任何漏洞。

I am looking for a little guidance on gotchas for each method, and more specifically issues related to security. I just want to make sure I don't complicate the task or open any holes by providing this type of functionality.

谢谢，Kris

推荐答案

在服务器上创建识别令牌，将其发送到客户端并使用Javascript设置在那里与在服务器上设置它相比没有多大意义 - 一方面。

It doesn't make much sense to create an identification token on the server, send it to the client and set there using Javascript compared to setting it at server-side in the first place.

更重要的是，使用Javascript使其与更少的客户端兼容，更不健壮，安全性更低（因为你不能使用 HTTPOnly cookies）。

More importantly, using Javascript makes it compatible with less clients, less robust, and less secure (as you cannot use HTTPOnly cookies).

这篇关于使用Cookie记住我时的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！