我应该在 cookie 中存储什么来实现“记住我"?在用户登录期间 [英] What should I store in cookies to implement "Remember me" during user login

问题描述

我的网站有一个登录系统，存储在数据库中的用户详细信息是用户 ID(每个用户和标识符唯一的)、电子邮件地址强>(唯一)、显示名称(非唯一)、密码和会员身份.
现在我应该在 cookie 中存储什么?我正在考虑仅将用户 ID 存储在具有到期日期的 cookie 中，然后如果用户在注册后重新访问我的网站，请检查 cookie 并让他登录(这对我来说不合适)并销毁 cookie如果他决定退出.
*稍微解释一下也会很有帮助.谢谢

I have a login system in place for my website, the details of the user which are stored in the database are userid(unique for every user and identifier), email address(unique), display name(not unique), password and membersince.
Now what should I store in the cookies? I was thinking about storing just the userid in the cookie with an expiration date and then if the user revisits my website after signing up check for the cookie and log him in( which kind of doesn't look right to me) and destroy the cookie if he decides to log out.
*A little explanation would also be very helpful. Thanks

推荐答案

如果您使用只有您的应用程序知道的密钥对其进行签名，则您只能将用户 ID 存储在 cookie 中.否则，用户可能会将 cookie 更改为任何内容并以其他人的身份登录.因此，如果您想存储用户 ID，还需要使用密钥存储用户 ID 的哈希值(理想情况下使用 HMAC) 并且当您想登录它们时，计算相同的哈希值并将其与来自 cookie 的哈希值进行比较.另一种解决方案是生成一个随机令牌，将其存储在数据库中并在 cookie 中使用它.如果它足够长且足够随机，那么有人猜测另一个人的令牌的可能性很小.

You can only ever store the userid in a cookie if you sign it with a secret key that only your applications knows. Otherwise it's possible for the user to change the cookie to anything and login as somebody else. So, if you want to store the userid, store also a hash of the user id with the secret key (ideally using HMAC) and when you want to log them in, calculate the same hash and compare it to the hash from the cookie. Another solution is to generate a random token, store it in the database and use that in the cookie. If it's long and random enough, there is very little chance somebody would guess another person's token.

这篇关于我应该在 cookie 中存储什么来实现“记住我"?在用户登录期间的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！