记住我 Cookie 最佳实践? [英] Remember me Cookie best practice?

问题描述

我阅读了很多关于这个论点的老问题，我认为最好的做法是设置一个带有 username、user_id 和随机令牌的 cookie.

I read about many old questions about this argument, and I thought that the best practice is to set up a cookie with username,user_id and a random token.

相同的 cookie 数据在创建 cookie 时存储在 DB 中，当用户拥有 cookie 时，它​​们会进行比较(cookie 数据、DB 数据).

Same cookie's data is stored in DB at cookie creation, and when users have the cookie they are compared (cookie data, DB data).

如果这是真正的最佳实践，我真的无法理解安全逻辑在哪里.

Sincerely I can't understand where is the security logic if this is the real best practice.

窃取 cookie 的攻击者拥有与原始用户相同的 cookie :|

An attacker who steals the cookie has the same cookie than the original user :|

忘记了一些步骤?:P

推荐答案

除了用户密码之外，您还应该存储 user_id 并发出一个随机令牌.使用cookie中的token，在密码更改时更改token.这样，如果用户更改了他们的密码，cookie 就会失效.

You should store the user_id and issue a random token in addition to the user's password. Use the token in the cookie and change the token when the password changes. This way, if the user changes their password then the cookie will be invalidated.

如果 cookie 被劫持，这很重要.如果用户检测到劫持，它将失效，而且由于令牌与密码无关，劫持者将无法导出并更改用户的帐户密码并拥有"该帐户(假设您需要现有密码)在更改密码之前，劫机者不拥有电子邮件帐户，因此他们不能使用忘记密码"等).

This is important if the cookie has been hijacked. It will be invalidated if the user detects the hijacking, and furthermore because the token is unrelated to the password the hijacker won't be able to derive and then change the user's account password and "own" the account (assuming you require the existing password before changing passwords, the hijacker doesn't own the email account so they can't use "Forgot my password" etc).

注意令牌不容易被猜到(即它们应该由完全随机的数据组成，如来自 CRNG 的数据).

Take care that the tokens aren't easily guessable (i.e. they should consist of entirely random data, like from a CRNG).

如果您想更进一步，您可以在发送之前对 cookie 进行加密，并在收到时对其进行解密.此外，不要假设劫机者不知道所使用的加密密钥，因此请在解密时验证 cookie 的内容.

If you want to go one step further, you can encrypt the cookie before sending it and decrypt it upon receipt. And further to that, don't assume that a hijacker doesn't know the encryption key used, so validate the cookie's contents upon decryption.

但总而言之，更喜欢使用库的持久会话管理而不是滚动您自己的.

But all that said, prefer to use a library's persistent session management instead of rolling your own.

这篇关于记住我 Cookie 最佳实践?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！