在多个设备上使用令牌和系列实现记住我 [英] Implementing remember me with token and series across multiple devices

问题描述

我正在尝试使用此处概述的系统来实现记住我"实用工具:已改进永久登录Cookie

I am attempting to implement a "remember me" utility using the system outlined here: Improved persistent login cookie

但是，这里的逻辑存在问题，我想知道是否有人可以帮我解决这个问题.

However there is an issue with the logic here for me and was wondering if anyone can clear this up for me.

• 为用户提供了会话ID.这是一个随机生成的字符串，并且 在用户帐户的生存期内保持不变.

• A user is given a session ID. This a randomly generated string and is persistent over the lifetime of the user's account.

为用户提供了令牌ID.这是一个随机生成的字符串， 每次用户成功登录都会重新创建.

A user is given a token ID. This is a randomly generated string and is recreated every time the user successfully logs in.

这两个值都作为签名的cookie存储在用户的计算机和数据库中.

Both of these values are stored as signed cookies on the user's machine and in the database.

这个想法是，如果有人设法欺骗用户的令牌和系列并以用户身份登录，那么他们将生成一个新的令牌ID.下次合法用户尝试登录时，他们将具有匹配的系列，但是令牌无效，因此通知系统发生了安全漏洞，并且可以采取任何必要的措施(清除用户令牌).

The idea is that if someone manages to spoof the user's token and series and log-in as the user then they will generate a new token ID. The next time the legitimate user attempts to log-in then they will have a matching series but an invalid token thus notifying the system that a security breach has taken place and any necessary action can be taken (clearing the user's token).

太好了.但是，当用户尝试通过多个设备或浏览器使用我的应用程序时会发生什么?假设某个用户使用Chrome浏览器登录了我的服务，并检查了我的记忆.下次他们通过Firefox登录时，还会选择记住我".将生成一个新令牌，以便用户下次尝试使用Chrome登录时会触发虚假盗窃-不?

This is great. However what happens when a user attempts to use my application from multiple devices or browsers? Say a user logs into my service with Chrome and checks remember me. Next time they log-in via Firefox and also selects remember me. A new token will have been generated so that the next time the user attempts to login with Chrome a false theft would be triggered - no?

在这种情况下，如何才能更可靠地实施此解决方案?我很清楚，基于cookie的授权从本质上讲是不太安全的，并且不允许cookie授权的用户执行任何破坏性的操作，例如购买.

If this is the case how can I implement this solution more reliably? I am well aware that cookie based authorisation is by it's very nature less secure and would not allow a cookie authorised user to perform any damaging actions such as purchases.

推荐答案

改进的持久登录cookie"指的原始帖子，(位于:

The original post that the "Improved persistent login cookie" refers, (found here: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/) states:

Cookie应该由用户的用户名组成，后跟一个 分隔符，后跟一些较大的随机数(128位) 似乎令人难以置信地大到可以接受).服务器保持 编号->用户名关联的表，将对其进行查找以进行验证 Cookie的有效性.如果Cookie提供了随机数，并且 在表中彼此映射的用户名，登录名是 接受.

The cookie should consist of the user's username, followed by a separator character, followed by some large random number (128 bits seems mind-bogglingly large enough to be acceptable). The server keeps a table of number->username associations, which is looked up to verify the validity of the cookie. If the cookie supplies a random number and username that are mapped to each other in the table, the login is accepted.

随时可以将用户名映射到多个此类数字

因此，用户可以同时拥有多个永久令牌.

So, the user can have many persistent tokens at the same time.

这篇关于在多个设备上使用令牌和系列实现记住我的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！