记住我Cookie最佳做法？ [英] Remember me Cookie best practice?

问题描述

我关于这个论点的许多老问题，我想我最好的做法是设置一个cookie username ，

I red about many old questions about this argument, and i think i thought that the best practice is to set up a cookie with username,user_id and a random token.

在创建cookie时，相同的cookie数据存储在DB中，当用户使用cookie时，它们会被比较（cookie数据，数据库数据）。

Same cookie data are stored in DB at cookie creation, and when users have the cookie they are compared (cookie data, DB data).

如果这是真正的最佳实践，我不能理解安全逻辑在哪里。

Sincerely I can't understand where is the security logic if this is the real best practice.

攻击者窃取cookie的cookie与原始用户相同：|

An attacker who steals the cookie has the same cookie than the original user :|

忘记了一些步骤？ ：P

Forgotten some step? :P

推荐答案

您应该存储 user_id 除了用户的密码。在cookie中使用令牌，并在密码更改时更改令牌。这样，如果用户更改他们的密码，那么该cookie将失效。

You should store the user_id and issue a random token in addition to the user's password. Use the token in the cookie and change the token when the password changes. This way, if the user changes their password then the cookie will be invalidated.

如果cookie被劫持，这是很重要的。如果用户检测到劫持，并且由于令牌与密码无关，劫持者将无法派生，然后更改用户的帐户密码并拥有帐户（假设您需要现有密码）在更改密码之前，劫持者不拥有电子邮件帐户，因此他们不能使用忘记我的密码等）。

This is important if the cookie has been hijacked. It will be invalidated if the user detects the hijacking, and furthermore because the token is unrelated to the password the hijacker won't be able to derive and then change the user's account password and "own" the account (assuming you require the existing password before changing passwords, the hijacker doesn't own the email account so they can't use "Forgot my password" etc).

注意令牌不是容易猜到（即它们应该由完全随机的数据组成，如来自CRNG）。

Take care that the tokens aren't easily guessable (i.e. they should consist of entirely random data, like from a CRNG).

如果你想进一步，可以在发送cookie之前加密cookie并在收到时将其解密。此外，不要假设劫持者不知道使用的加密密钥，因此在解密时验证cookie的内容。

If you want to go one step further, you can encrypt the cookie before sending it and decrypt it upon receipt. And further to that, don't assume that a hijacker doesn't know the encryption key used, so validate the cookie's contents upon decryption.

但是所有这一切，使用库的持久会话管理，而不是滚动自己的。

But all that said, prefer to use a library's persistent session management instead of rolling your own.

这篇关于记住我Cookie最佳做法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！