保存凭据/在cookie中的令牌？ [英] Saving credentials / token in a cookie?

问题描述

我设法得到工作，我知道返回一个令牌（JWT）的客户端进行认证。此令牌的过期日期/时间，所以我在想保存在cookie那么以后登录验证了令牌，但这可能是行不通的。

I have managed to get working the authentication which i know return a token (JWT) to the client. This token has an expiration date/time so I was thinking about saving the token in a cookie so future logins were authenticated but this is probably not going to work.

然后我虽然关于在cookie中保存的用户名和密码，虽然我知道这是不推荐??

I then though about saving the username and password in a cookie although i know this isn't recommended??

目前我有一个接受用户名和密码形式，登录成功将提供用来访问其他端点的令牌。

Currently i have a form that accepts a username and password, a successful login will provide a token which is used to access other endpoints.

该表格必须包括一个记住我，所以可能会出现自动登录。

The form needs to include a "Remember Me" so an automatic login can occur.

什么是实现这一目标的最佳途径？

What is the best way of achieving this ?

我应该存储在cookie中的用户名和密码，如果没有我怎么会自动将用户下一次来到我的网站进行身份验证。我所提供的令牌将被这么过期有即使这个存储任何一点？

Should i be storing the username and password in the cookie, if not how do i automatically authenticate the next time the user arrives to my site. The token that i provide is going to be expired so is there any point in even storing this ?

在此先感谢

推荐答案

不要存储在cookie中的用户名或密码。即使该cookie被加密，最好是存储的凭证短届满时间像在比象具有更多的货架寿命密码凭证的cookie令牌

Do not store the user name or password in the cookie. Even if the cookie is encrypted, it is better to store a credential with short expiration time like the token in a cookie than a credential like password which has more shelf life.

即使在ASP.NET Web窗体或MVC世界（Forms身份验证），典型的记住我的作品只有等到cookie过期的时间。 记住我并不意味着记得我永远而且必须有一个有限的时间段记忆。时间可以从cookie中获得。你可以把智威汤逊在cookie并设置cookie的寿命一样智威汤逊，说一个小时。当用户回来在这段时间内您的应用程序，该cookie不会过期，用户将自动登录，否则，他们必须重新登录。不要去想存储用户名 - 密码，系统登录，让用户输入凭据和做法会更有保障。 BTW，确保cookie被加密，并且是一个HTTP cookie的唯一

Even in the ASP.NET Web Forms or MVC world (Forms Authentication), typically "Remember me" works only until the time the cookie expires. "Remember me" does not mean remember me for ever and there must be a finite time period for remembering. That time can be derived from a cookie. You can put the JWT in the cookie and set the cookie's life time same as JWT, say an hour. When the user comes back to your app within that time, the cookie will not expire and the user is automatically logged in. Otherwise, they have to re-login. Do not think about storing the user name - password and systematically logging in. Let the user enter the credentials and that approach will be more secure. BTW, make sure cookie is encrypted and is an HTTP only cookie.

此机制将类似于窗体身份验证。代替身份验证票证的，你会用你的智威汤逊。取而代之的FAM读取cookie时，你需要有自己的HttpModule或消息处理程序要做到这一点，并建立了身份的要求。

This mechanism will be similar to Forms Authentication. In place of the authentication ticket, you will use your JWT. Instead of FAM reading the cookie, you will need to have your own HttpModule or a message handler to do that and establish the identity for the requests.

这篇关于保存凭据/在cookie中的令牌？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！