OpenID登录机制 - 保持登录状态 [英] OpenID sign in mechanism - Stay signed in
问题描述
我在PHP开发一个网站,我试图使用OpenID登录机制。我想要一个类似于StackOverflow的行为。通过这个,我的意思是每当我打开stackoverflow,我已经登录。我发现了两个相关的问题在StackOverflow:
I'm developing a website in PHP and I'm trying to use OpenID for log-in mechanism. I want a behaviour similar to StackOverflow's. By that, I mean whenever I open stackoverflow, I'm already signed in. I found two related questions on StackOverflow:
我知道我应该登录该用户,如果这是他/她第一次,我应该注册该用户并在他/她的系统中设置一个cookie。但是我想知道的是什么应该存储在cookie?用户名/密码组合?这似乎是一个安全问题。另一个问题是我应该在哪里检查cookie?我会欣赏一个简单的教程/代码示例。谢谢。
I understand that I should sign in the user and if this is his/her first time, I should sign up the user and set a cookie in his/her system. However what I want to know is what should I store in the cookie? Username/password combination? That seems like a security issue. And the other question is where should I check for the cookie? I would appreciate a simple tutorial/code sample. Thank you.
推荐答案
这是使用Cookie的基本网络应用程序会话管理,OpenID首先没有什么区别。
This is basic web app session management with cookies and OpenID doesn't make a difference here at first.
不,绝对不要在cookie中存储用户名和密码。 Cookie作为承载令牌,意味着有cookie的人进入。存储在cookie中的最好的东西是一个不可猜测的任意键,你可以使用它在应用程序的表中查找真实信息。因此,用户会看到一个Cookiemyappsession和一个值为234871nb341adf的域名。然后,您的应用程序将在本地数据存储中查找234871nb341adf的值,并查看它是否与有效用户绑定。你最好还要检查多久以前,用户在那里,什么。如果是有效会话,并且在您的时间和使用限制内,用户将自动登录。
No, absolutely do not store the username and password in the cookie. Cookies act as "bearer tokens", meaning whoever has the cookie gets in. The best thing to store in a cookie is an unguessable and arbitrary key that you can use to look up real information in a table in your application. So, the user shows up with a cookie of "myappsession" and a value of "234871nb341adf" tied to your domain. Your app would then look up the value of "234871nb341adf" in a local data store and see if it's tied to a valid user. You'd be best served to also check how long ago that user was there and whatnot. If it's a valid session and it's within your time and usage limits, the user is logged in automatically.
对于RP侧的额外偏执,您可以使用checkid_immediate模式的OpenID进行后台调用以查看用户是否仍然登录到他们的IdP。如果他们不是,那么你至少知道哪个提供商尝试发送给他们进行重新验证,并可以提供更好的用户体验。
For extra paranoia from the RP side, you can make use of the checkid_immediate mode of OpenID to make a background call to see if the user is still logged in to their IdP. If they're not, then you at least know which provider to try to send them to for re-validation and can provide a better user experience.
如果你想要网站要真正安全,您应该通过HTTPS执行所有会话,并将您的Cookie标记为安全和HTTPOnly,这在 setcookie 功能手册网页: http://php.net/manual/en/function.setcookie.php
If you want your site to be really secure, you should do all of your sessions over HTTPS and tag your cookies as both "Secure" and "HTTPOnly", which is documented on the setcookie function manual page: http://php.net/manual/en/function.setcookie.php
这篇关于OpenID登录机制 - 保持登录状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
