在凤凰中实现“记住我" [英] Implementing remember-me in phoenix
问题描述
起初,我选择使用put_session
来存储用户ID,因为无法篡改会话哈希.但是,似乎会话cookie仅在浏览器会话期间持续存在.当用户重新打开浏览器时,浏览器消失了,用户必须再次登录.
At first I chose to use put_session
to store user id because session hash cannot be tampered. However it seems like session cookie only persist during the browser session. When the user re-opens the browser, it's gone and the user has to log in again.
我读到另一种选择可能是为每个用户生成一个安全的随机令牌,并将其存储在数据库中,然后将其放入具有高到期日期的常规Cookie中.但是,鉴于此cookie没有篡改保护AFAIK(但我可能是错的)并且连接并不总是https,我猜任何人在用户和服务器之间的中间监听http都可以劫持用户会话
I read that another option might be to generate a secure random token for each user and store it in the database and put it in a regular cookie with high expiration date. However, given that this cookie doesn't have tampering protection AFAIK (but I might be wrong) and connection is not always https, I guess anyone listening to http in the middle between the user and the server would be able to hijack the user session.
因此,问题是如何以安全的方式在会话中保留用户ID?还是其他方式呢?
Hence the question is how can I persist user id in session in a secure way? Or what are the other ways?
推荐答案
默认cookie"max-age"直到关闭浏览器为止. 您应该给cookie一个非常高的"max_age"值: http://hexdocs.pm/plug/Plug.Conn.html#put_resp_cookie/4
The default cookie "max-age" is until close borwser. You should give the cookie a really high "max_age" value: http://hexdocs.pm/plug/Plug.Conn.html#put_resp_cookie/4
另一种设置"max_age"的方法,在官方文档中找不到,但是它有效:
Another way set "max_age", I can't find it in official doc,but it works:
defmodule HelloPhoenix.Endpoint do
use Phoenix.Endpoint, otp_app: :hello_phoenix
. . .
plug Plug.Session,
store: :cookie,
key: "_hello_phoenix_key",
signing_salt: "Jk7pxAMf",
max_age: 2592000 # 60*60*24*30
. . .
end
这篇关于在凤凰中实现“记住我"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!