如何检查用户令牌在CouchDB中是否仍然有效? [英] How to check if user token is still valid in CouchDB?

问题描述

当您想用用户登录时，向http://localhost:5984/_session发送一个POST请求并获取一个cookie.默认情况下，此cookie有效期为10分钟，并存储在我的$_COOKIE变量中.

When you want to log in with a user you send a POST request to http://localhost:5984/_session and get back a cookie. This cookie is valid for 10 minutes by default and is stored in my $_COOKIE variable.

在我的情况下，我希望用户能够基于他是否已登录(例如，具有有效令牌)的事实与我的网站进行交互.我的问题是如何检查用户cookie是否仍然对我的CouchDB有效?

In my scenario I want the user to be able to interact with my website based upon the fact that he is logged in (eg. has a valid token) or not. My question is how can I check if a users cookie is still valid against my CouchDB?

推荐答案

来自此处:

CouchDB的cookie算法(查看源代码)基本上是data = username + ':' + timestamp; base64(data + ':' + sha_mac(data, secret)).其中secret是 couch_httpd_auth.secret 值加上用户的食盐值.

CouchDB's cookie algorithm (view source) is basically data = username + ':' + timestamp; base64(data + ':' + sha_mac(data, secret)). Where secret is the couch_httpd_auth.secret value plus the user's salt value.

这意味着，如果您要做的只是检查时间戳记，则可以对Cookie进行Base64解码，然后从结果中提取时间戳记，并将其与当前时间进行比较.

This means that if all you want to do is check the timestamp, you can Base64 decode the cookie, then extract the timestamp from the result, and compare against the current time.

如果您想实际验证Cookie是否有效(即未伪造)，则需要知道用户的密码盐和服务器密码.如果这是一个客户端应用程序，那就很危险.即使它是服务器应用程序，也会将敏感信息放在更多位置，这确实带来了额外的安全风险.这些风险是否值得，取决于您和您的实施方式.

If you want to actually validate that the cookie is valid (i.e. not forged), you'll need to know the user's password salt, and the server secret. If this is a client-side app, that's dangerous. Even if it's a server app, it's putting that sensitive information in more places, which does come with additional security risks. Whether those risks are worth it is up to you, and your implementation.

这篇关于如何检查用户令牌在CouchDB中是否仍然有效?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！