实现“记住我"的最佳方式是什么?对于网站? [英] What is the best way to implement "remember me" for a website?

问题描述

我希望我的网站有一个用户可以点击的复选框，这样他们就不必每次访问我的网站时都登录.我知道我需要在他们的计算机上存储一个 cookie 来实现这一点，但是那个 cookie 中应该包含什么?

I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. I know I will need to store a cookie on their computer to implement this, but what should be contained in that cookie?

此外，是否有一些常见的错误需要注意，以防止此 cookie 出现安全漏洞，在提供记住我"功能的同时可以避免这种漏洞?

Also, are there common mistakes to watch out for to keep this cookie from presenting a security vulnerability, which could be avoided while still giving the 'remember me' functionality?

推荐答案

改进持久登录 Cookie 最佳实践

您可以使用此处描述的这种策略作为最佳实践 (2006) 或 an此处描述的更新策略(2015 年):

Improved Persistent Login Cookie Best Practice

You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):

1. 当用户在选中记住我"的情况下成功登录时，除了标准会话管理 cookie 外，还会发布一个登录 cookie.
2. 登录 cookie 包含系列标识符和令牌.系列和标记是来自适当大空间的不可猜测的随机数.两者都存储在一个数据库表中，令牌经过哈希处理(sha256 很好).
3. 当未登录的用户访问该站点并提供登录 cookie 时，系统会在数据库中查找该系列标识符.

1. When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
2. The login cookie contains a series identifier and a token. The series and token are unguessable random numbers from a suitably large space. Both are stored together in a database table, the token is hashed (sha256 is fine).
3. When a non-logged-in user visits the site and presents a login cookie, the series identifier is looked up in the database.

1. 如果系列标识符存在并且令牌的哈希值与该系列标识符的哈希值匹配，则用户被视为已通过身份验证.生成新令牌，将令牌的新散列存储在旧记录上，并向用户发出新登录cookie(可以重新使用系列标识符).
2. 如果系列存在但令牌不匹配，则假定为盗窃.用户会收到措辞强烈的警告，并且会删除用户记住的所有会话.
3. 如果用户名和系列不存在，登录 cookie 将被忽略.

1. If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it's okay to re-use the series identifier).
2. If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
3. If the username and series are not present, the login cookie is ignored.

这种方法提供纵深防御.如果有人设法泄漏数据库表，它不会为攻击者冒充用户打开大门.

This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.

这篇关于实现“记住我"的最佳方式是什么?对于网站?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！