记住我功能的最佳做法 [英] Best practice for remember me feature

问题描述

我在Cookie(有效期7天)中使用了2个变量，分别是用户ID和哈希.哈希是用户代理和用户ID的sha1编码.在这种情况下，某些黑客可以登录谁知道被窃取的Cookie的浏览器.应该遵循哪种方法或哪种做法最适合记住我的安全问题?

I am using 2 variables in cookie (7 day expiration) which is user id and hash. Hash is sha1 encode of user agent and user id. In this case some hacker can login who is know stolen cookie's browser. Which way should I follow or which practice is best for remember me security problems?

推荐答案

尽管您可以对user_id和secret_key进行哈希处理，但是任何拦截此cookie的人都可以登录到您的应用程序.除此之外，您还可以做到这一点，以便使您记住我的Cookie很快过时.没有人喜欢陈旧的Cookie.

While you can hash a user_id and secret_key, anyone who intercepts this cookie can log in to your application. In addition to this, you can make it so that your remember me cookies go stale very quickly. No one likes a stale cookie.

您可以将每个用户最后一次访问的时间戳记存储在数据库和cookie中.每次您读取Cookie来登录用户时，都会检查两个时间戳是否匹配.如果没有，请拒绝该用户.如果有，请更新时间戳.

You can store the time stamp of each user's last visit in your database and in the cookie. Each time you read the cookie to log the user in, you check to see that both timestamps match. If they don't, deny the user. If they do, update the timestamps.

使用此方法，只要您的用户返回您的网站，所有旧的Cookie就会失效.黑客拦截了一个cookie，现在有了一个毫无价值的陈旧cookie，因为他不知道当前cookie中的确切时间戳.当然，在用户重新登录之前，黑客可以使用任意数量的新鲜Cookie.

Using this method, any time your user returns to your site, all old cookies go stale. A hacker that has intercepted a cookie now has a worthless stale cookie because he does not know the exact time stamp in the current cookie. Of course, the hacker can use a fresh cookie as much as he wants until the user logs back in.

//check for cookie
if(isset($_COOKIE['remember_me'])) {
   // get hash and time stamp from cookie
   $hash = substr($_COOKIE['remember_me'],0,40);
   $last_visit = substr($_COOKIE['remember_me'],41);

   // query your db with $hash and $last_visit

   // if hash and time stamp match up
      // log in

      // store the current time stamp in a variable to use for both
      $time = date("Y-m-d H:i:s");
      // update the time stamp in your cookie
      $cookie = $pass . "-" . $time;
      setcookie('remember_me', $cookie, time()+60*60*24*100, '/');
      // update the time_stamp in your database
   else {
      // remove the remember me cookie
      setcookie('remember_me', '', time()-42000, '/')
   }

此方法提供的安全性很小，因此肯定应与其他答案中提出的辅助方法一起使用.哈希键应存储在cookie中.记住我的cookie不能完全保证安全，因此，对于任何其他对高度敏感的数据或应用程序功能的访问，都需要重新输入密码.

This method offers a small amount of security, and should certainly be used along side methods proposed in other answers. A hashed key should be stored in the cookie. A remember me cookie cannot be perfectly secure, so password re-entry should be required for any additional access to highly sensitive data or application features.

我还建议为您的Cookie命名"remember_me"以外的名称，以使其更难找到.虽然它并没有增加太多的安全性，但是只要给cookie命名为"remember_me"或"hack_me"，就可以为其命名为"ht33424".

I also recommend naming your cookie something besides 'remember_me' to make it a little harder to find. While it does not add much security, if any, naming your cookie 'ht33424' takes just as long as naming it 'remember_me' or 'hack_me'.

这篇关于记住我功能的最佳做法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！