在Cookie中存储信息以记住登录 [英] Storing information in cookie to remember login
问题描述
我想将一些用户信息(哈希)存储在cookie中以记住登录以自动登录。为了使它相对安全,我添加用户浏览器信息与 HTTP_USER_AGENT 这将是类似: Mozilla / 5.0(Windows; U; Windows NT 5.1; en-US; rv:1.7)Gecko / 20040803 Firefox / 0.9.3
我不会添加用户IP作为动态IP每次更改。是否有任何其他用户特定的信息,我可以存储在散列cookie,以使其位安全,以防止cookie偷等等?
谢谢。
I want to store some of the user information (hashed) in cookie to remember the login to sign in automatically. In order to make it relatively secure, I'd add user browser information with HTTP_USER_AGENT which will be something like: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3
I won't add user IP as the dynamic IP changes everytime. Is there any other user specific information which I can store in hashed cookie to make it bit secure to prevent the cookie stealing etc?
Thanks.
推荐答案
这是通过隐身的安全性。它不会使系统更安全,因为额外的信息可以很容易地由攻击者伪造。
This is a perfect example of security through obscurity. It does not make the system more secure, because the additional info can be easily forged by attackers.
我建议您将用户ID从数据库存储到会话和存储会话ID中的Cookie。
I recommend you to store user ID from the database to session and store session ID in the cookie. That should be enough.
此外,您还可以通过对最常见的会话攻击应用补丁,使会话更安全:
Also, you can make your sessions more secure by applying patches to the most common session attacks:
- Session fixation
- Session hijacking
- Session poisoning
这篇关于在Cookie中存储信息以记住登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
