记住我系统的基础 [英] Basics of a remember-me system

问题描述

我正在使用PHP/MySQL登录系统.我想在其中添加一个记住我"的信息.记住我的基本原理是什么?是否需要在存储所有用户信息的MySQL表中添加新列等?

I am using a PHP / MySQL login system. I would like to add a remember-me to it. What are the basic mechanics of a remember-me? Does it involve adding a new column to the table in MySQL where all of the user information is stored, etc. ?

预先感谢

约翰

推荐答案

有几种不同的方法. 安全方法是在mysql用户表中添加一个字段，并具有一个"remember_me"哈希，该哈希只是生成的随机哈希.

There are a few different methods for this. A secure method would be to add a field to the mysql user table and have a "remember_me" hash which is just a random hash generated.

散列应该存储在用户计算机上的cookie中以及用于进行验证的userid中，以用于验证目的，以便记住时间长久(您还应该在数据库中将记住我"时间段设置为时间戳，以提高安全性) ).当他们打开您的网站时，您会看到该cookie是否已设置，如果已设置，则只需将哈希身份验证给用户ID.如果验证通过，则将其视为已登录.如果未通过验证，则将其发送至登录页面/将不将其视为已登录.

The hash should be stored in a cookie on the users computer as well as the userid for validation purposes for however long the remembering period lasts (you should also set the remember me period in the DB as a timestamp as well for extra security). When they pull up your site, you see if that cookie isset, if it is then you just authenticate the hash to the userid. If it validates they are considered logged in. If it does not validate, then send them to a sign in page / they are not considered logged in.

这是我设置大多数网站的方式.痛苦的是，如果他们从另一台计算机登录，那么现在它们将不再在使用的计算机上进行验证，因此必须重新进行身份验证.但是对我来说，安全性比这种情况下他们不得不再次登录更为重要.

This is how I setup most of my sites. The pain is that if they login from another computer, well they are now no longer validated on the computer they were using and will have to re-authenticate. But security, to me, is more important than them having to login again due to that situation.

有关会话/安全性的更多信息，请参见下面的评论.

See comments below for extra information regarding the sessions / security.

这篇关于记住我系统的基础的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！