“记住我”的Cookie在JSF [英] Cookies for "Remember me" in JSF
问题描述
我有一个登录页面,我想添加记住我功能;因此,如果用户注销并再次打开该页面,则会加载其用户名和密码。
为此,当用户登录(和记住我被选中)我保存以下cookie:
FacesContext facesContext = FacesContext.getCurrentInstance();
Cookie userCookie = new Cookie(vtusername,username);
userCookie.setMaxAge(3600);
(HttpServletResponse)facesContext.getExternalContext )
.getResponse())addCookie(userCookie);
Cookie passCokie = new Cookie(vtpassword,password);
passCokie.setMaxAge(3600);
HttpServletResponse)facesContext.getExternalContext()
.getResponse())。addCookie(passCokie);
问题是,后来(在同一个会话)我读取cookie,我看到maxAge = -1;即使我将其设置为3600 ...为什么?
另一个问题:如果我
另一个问题:由于密码存储在cookie中,因此cookie的安全性可以通过userCookie.setSecure(true) ,我应该怎么加密呢?最佳做法是什么?
提前感谢
问题是,后来(在同一个会话)我读取cookie,我看到maxAge = -1;即使我将其设置为3600 ...为什么?
因为浏览器不发送maxage回。它只发送cookie name = value。 maxage仅存储在浏览器中。你可以在web浏览器本身的cookie查看器/编辑器中检查它。例如,在Firefox中,您可以通过工具>选项>隐私>删除个别Cookie 来检查所有Cookie。输入网域(例如localhost)以查看Cookie。
另一个问题:如果我将cookie设置为userCookie.setSecure
它只有在请求/响应时才有效是通过HTTPS而不是HTTP提供的。此外,当请求已通过HTTPS提供时,它将默认为secure = true。
另一个问题:密码存储在cookie中,我应该怎么加密呢?什么是最佳做法?
不要将原始名称/密码存储在两个Cookie中。除此之外,这可以很容易地在一个单一的cookie,这是一个非常糟糕的主意,很容易hackable。使用具有自动生成的长,唯一且不可能的猜测值的单个cookie。将此值与用户ID一起存储在服务器端的数据库中。当有人使用此Cookie访问您的网站,但用户尚未登录(即,在会话中没有用户对象)时,您可以执行自动登录。 p>
另请参阅:
I have a login page, and I want to add the "Remember me" feature; so that if user logs out and opens the page again, his username and password are loaded. For this, when user logs in (and "remember me" is checked") I save the following cookies:
FacesContext facesContext = FacesContext.getCurrentInstance();
Cookie userCookie = new Cookie("vtusername", username);
userCookie.setMaxAge(3600);
((HttpServletResponse) facesContext.getExternalContext()
.getResponse()).addCookie(userCookie);
Cookie passCokie = new Cookie("vtpassword", password);
passCokie.setMaxAge(3600);
((HttpServletResponse) facesContext.getExternalContext()
.getResponse()).addCookie(passCokie);
The problem is that later (in the same session) I read the cookies and I see that maxAge = -1; even though I'm setting it to 3600... why is that? Another issue: if I set the cookie secure with userCookie.setSecure(true) then I can't read it (it dissapears).
Another question: since a password is being stored in a cookie, should I encrypt it some how? what is the best practice?
Thanks in advance
The problem is that later (in the same session) I read the cookies and I see that maxAge = -1; even though I'm setting it to 3600... why is that?
Because the browser doesn't send the maxage back. It only sends the cookie name=value back. The maxage is only stored in the browser. You can check it in the cookie viewer/editor of the webbrowser itself. In Firefox for example, you can check all cookies by Tools > Options > Privacy > Remove individual cookies. Enter the domain (e.g. localhost) to see the cookies.
Another issue: if I set the cookie secure with userCookie.setSecure(true) then I can't read it (it dissapears).
It only works when the request/response is served over HTTPS instead of HTTP. Also, when the request is already served over HTTPS, it will already default to secure=true.
Another question: since a password is being stored in a cookie, should I encrypt it some how? what is the best practice?
Do not store the raw name/password in two cookies. Apart from that this can easily go in just a single cookie, this is a very bad idea and easily hackable. Use a single cookie with an autogenerated long, unique and impossible-to-guess value. Store this value along with the user ID in a database in the server side. When someone visits your site with this cookie, but the user is not logged in yet (i.e. there's no User object in session), then you can do the automatic login.
See also:
这篇关于“记住我”的Cookie在JSF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
