PHP Cookie和用户帐户的会话安全性 [英] PHP cookies and sessions security for user accounts

问题描述

在研究了使用记住我功能创建安全登录的方法后，我遇到了关于如何使这个安全的许多冲突观点。我希望创建的登录系统不需要高度安全，但我想选择一个很好的安全和简单的方法，我有两个问题。

After researching ways to make a secure log in form with 'remember me' functionality I've come across many conflicting views on how to make this secure. The log in system I wish to create does not need to be highly secure, but I'd like to pick a nice secure and easy method and I have two questions.

1. 应该存储在会话变量中以检查用户是否登录，这只是用户名（或ID）。如果它只是用户名，在用户发现他们的帐户已被入侵并希望更改密码以阻止恶意用户搞乱他们的帐户的情况下会发生什么？如果恶意用户有一个会话，即使密码被更改，他们可以继续恶意，直到他们的会话过期，这可以避免 - 也许使用该用户名的密码更改无效所有会话？

1. What should be stored in the session variables to check a user is logged in, is this just username (or ID). If it is just the username, what happens in the case where a user finds their account has been compromised and wishes to change the password to stop the malicious user messing around with their account? If the malicious user has a session then even if the password is changed they can continued being malicious until their session expires, can this be avoided - maybe invalidate all sessions with that username on password change?

存储一个密码（使用仅用于cookie的盐重新加密）和一个（HttpOnly）cookie中的用户名是否有足够的记住我功能？我听说过数据库存储用户名和随机生成的密钥的方式，这也放在用户cookie中。然后，当用户操作发生时，旧密钥被替换为新密钥并且被给予用户的cookie。这种类型的cookie安全性值得吗，还是通常的加密密码方法就足够了？

Is storing a password (re-encrypted with a salt used just for cookies) and username in a (HttpOnly) cookie a decent enough way of having the 'remember me' functionality? I've heard ways where a database stores a username and a randomly generated key, and this is also put in the user cookie. Then when a user action occurs the old key is replaced with a new one and given to the user's cookie. Is this type of cookie security worth it or will the usual re-encrypted password method be sufficient?

推荐答案

通常，如果你想记住用户，你生成一个密钥并将其存储在数据库中，然后设置其生命周期（这可以是任何东西，如6小时或2天）。您将该密钥存储在cookie（以及userid）中。现在，每次用户连接到网站时，您都会比较两个键。如果数据库中的密钥已超过其生命周期，您将生成一个新密钥并将其存储在cookie中。因此，如果有人窃取cookie（不知何故），他必须使用它，然后再次连接到网站并重置密钥。这是我最常看到的方法。

Usually if you want to remember the user, you generate a "key" and store it in the database, then set its "lifetime" (this can be anything, like 6 hours or 2 days). You store that key in the cookie (along with the userid). Now, every time the user connects to the website you compare both keys. If the key in the database has exceeded its lifetime, you generate a new key and store it in the cookie. Thus, if someone steals the cookie (somehow) he would have to use it before you connect to the website again and reset the key. This is a method I most commonly see.

这篇关于PHP Cookie和用户帐户的会话安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！