持续“记住我"的比赛条件饼干 [英] Race Condition for Persistent "Remember Me" Cookies
问题描述
根据永久登录Cookie最佳做法,您绝对不应允许记住我"令牌可以多次使用:
According to Persistent Login Cookie Best Practice, you should never allow a "remember me" token to be used more than once:
持久性cookie对于单次登录非常有用.确认身份验证后,用于登录的随机数将无效,并分配一个全新的cookie.标准的会话管理在会话的整个生命周期内处理凭据,因此,新分配的cookie直到下一个会话之前都不会被检查(此时,它也将在使用后失效).
A persistent cookie is good for a single login. When authentication is confirmed, the random number used to log in is invalidated and a brand new cookie assigned. Standard session-management handles the credentials for the life of the session, so the newly assigned cookie will not be checked until the next session (at which point it, too, will be invalidated after use).
然后,您如何处理用户同时访问您站点上多个URL的竞争条件?我现在确实遇到了这个问题.
Then, how do you handle the race condition where a user is visiting multiple URLs at your site at the same time? I'm actually having this problem right now.
假设两个请求同时从浏览器发送到服务器.这些请求不包含会话Cookie,而是相同的记住我" cookie.其中一个请求将在另一个请求之前处理,并将获得一个响应,其中包含经过身份验证的会话cookie和重新生成的记住我" cookie.
Let's say two requests are sent from the browser to the server at the same time. The requests contain no session cookies, but the same "remember me" cookie. One of the requests will be handled before the other, and will get a response with an authenticated session cookie and a regenerated "remember me" cookie.
第二个请求中的记住我"令牌现在无效,并且在服务器上生成了另一个会话ID.该请求失败,因为用户无法通过身份验证.
The "remember me" token in the second request is now invalidated and another session ID is generated on the server. This request fails, since the user cannot be authenticated.
我想出了一些可能的解决方案,但是似乎没有一个很好.我想念什么吗?
I have come up with a few possible solutions, but none of them seem very good. Am I missing something?
推荐答案
旧问题,但我在任何地方都找不到答案. 我有同样的问题.我的解决方案是将旧令牌存储在数据库中,如果未找到主令牌,则将其用作备用.但是我确保旧令牌仅在短时间内有效,例如令牌更改后几秒钟.然后,只有在自上一次更新以来已经过了一段时间,我才更改令牌,否则有时令牌会连续更改几次.
Old question but I didn't find the answer anywhere. I had the same problem. My solution was to store the old token on the database and use it as a fallback if the main token is not found. But I made sure the old token is only valid for a short time frame, like several seconds after the token changes. Then I only change the token if some time has passed since the previous update, otherwise there will be cases when the token changes several times in a row.
这篇关于持续“记住我"的比赛条件饼干的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
