我的Web应用程序是否可以实现用户登录并保持无状态？ [英] Can My Web App Implement User Login and Remain Stateless?

问题描述

我们有一个无状态的网络应用程序。我们在SSL / TLS上使用http
身份验证。用户的浏览器是
，可能存储认证凭据（可能甚至在浏览器关闭后，如果他们配置他们的浏览器的方式。）我们验证
他们在每次访问。

We have a web application that is stateless. We are using http authentication over SSL/TLS. The user's browsers are presumably storing authentication credentials (possibly even after a browser shut-down if they configure their browsers that way.) We validate them on every access.

由于主要与可用性有关，我们希望
停止使用http验证。是否有合理的方式
实现用户登录和

For reasons mostly having to do with usability, we would like to stop using http authentication. Is there a reasonable way to implement user login and

• 保持无状态。


• 不需要用户在每次访问时重新输入凭据。


• 至少与通过SSL / TLS的http身份验证一样安全。

例如，我们愿意使用cookies，并且可以将
用户名和密码存储为cookie。然而，这似乎较少
安全。但是是吗？如果我们使用非持久性cookie，是否
比任何浏览器在会话期间存储
凭证的方法更安全？

For example, we are willing to use cookies, and could store the username and password as a cookie. However, this seems less secure. But is it? If we use a non-persistent cookie, is it less secure than whatever method a browser uses to store credentials for the duration of the session, or longer?

我们可以存储用户名和密码哈希值，建议如下：
这里：我应该存储在cookies中以实现记住我在用户登录期间，但是
更好？

We could store username and a hash of the password as suggested here: What should I store in cookies to implement "Remember me" during user login but is that better?

我们可以存储一个随机令牌作为cookie，但是我们必须
在服务器上保持查找表（会话）并成为
有状态。

We could store a random token as a cookie, but then we have to keep a lookup table (session) on the server and become stateful.

我们可以将加密版本的凭证存储为
cookie，然后在每次访问时解密和验证。这个
似乎，因为它比http
身份验证略安全，并且不需要状态。然而，我是
不确定我们想要解密的额外开销。它真的更安全吗？如果有人获得加密（或散列，如上）字符串的副本，不是给他们相同的访问，因为他们有密码吗？

We could store an encrypted version of the credentials as a cookie and then decrypt and validate on every access. This seems like it is slightly more secure than http authentication and also does not require state. However, I'm not sure we want the additional overhead of decryption. And is it really more secure? If someone gets a copy of the encrypted (or hashed, as above) string, doesn't that give them the same access as if they had the password?

d感谢您的想法，但让我们从
开始假设SSL认证SSL / TLS是安全的
足够为我们的目的，我们想保持无状态。

I'd appreciate your thoughts, but let's start with the assumption that http authentication over SSL/TLS is secure enough for our purposes and we want to stay stateless.

EDIT

经过一些更多的研究，我认为这个stackoverflow问题：客户端会话更好地说明了问题，并且答案也相应更好。感谢所有为您的输入。

After some more research, I think this stackoverflow question: Client side sessions states the problem much better, and the answers are correspondingly better as well. Thanks to all for your input.

推荐答案

在一个封闭的系统（公司内部网或只是一个正常的网站，认真的人群）通过SSL证书验证将是更可取的。为每个用户颁发证书，让他们在其浏览器中安装证书，您可以随时撤销该证书的访问权限（请参阅myopenid.com的ssl-cert标识系统（不幸的是buggy atm）。

In a closed system (company intranets, or just a normal site but with a small, decently savvy crowd) validating by SSL-certificate would be preferable. Issue a certificate for every user, let them install it in their browsers, and you can revoke access for that certificate at any time (see for instance the ssl-cert identification system of myopenid.com(unfortunately buggy a.t.m.).

这将需要一些工作在你的用户的一部分，如果这是不可能/不可取的，一个cookie-token将是更可取的，以及无论你查找一个用户/ passwd组合或Cookie令牌不应该产生太大的区别。

It would require some work on your users' part, and if that is not possible / desirable, a cookie-token would be far preferable, and whether you look up a user/passwd combo or a cookie token shouldn't make that much of a difference.

这篇关于我的Web应用程序是否可以实现用户登录并保持无状态？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！