“在这台电脑上记住我"- 它应该如何工作? [英] "Remember Me On This Computer" - How Should It Work?

问题描述

查看 Gmail 的 cookie，很容易了解记住我"cookie 中存储的内容.用户名/一次性访问令牌.在用户名是秘密的情况下，它也可以以不同的方式实现.但无论如何……这件事的安全性不是很高:你偷了 cookie 就可以开始了.

Looking at Gmail's cookies it's easy to see what's stored in the "remember me" cookie. The username/one-time-access-token. It could be implemented differently in cases where the username is secret, as well. But whatever... the thing is not very high security: you steal the cookie and you're ready to go.

我的问题是在功能方面，但是:您什么时候擦除他们的访问令牌?如果用户登录时没有在另一台机器上点击记住我"，是否应该使他们在所有机器上的访问令牌失效?我想问的是传统上是如何实施的，以及应该如何实施.

My question is on the functional side, however: when do you wipe their access tokens? If a user logs in without clicking "remember me" on another machine, should it invalidate their access tokens on all machines? I'm asking about how this is traditionally implemented, and also how it should be implemented.

推荐答案

我经常同时使用 2 或 3 台机器，并且在所有机器上都有记住我".如果其中一个断开其他连接会很烦人，所以我不会推荐它.

I regularly use 2 or 3 machines simultaneously, and have "remember me" on all of them. If one of them disconnected the others that would be very annoying, so I wouldn't recommend it.

传统上它会使用超时，cookie 会在一段时间后(或用户退出时)过期.

Traditionally it would use a time-out, the cookie expires after a certain length of time (or when the user signs out).

这完全取决于您的安全模型.如果您正在编写一个公司内部应用程序，您只希望一个用户在一台计算机上，那么您可能希望拥有比 gmail 更严格的限制.

It all depends on your security model. If you are writing an internal company application where you only ever expect one user to be on one computer then you might want to have tighter restrictions than gmail.

另外，请记住拒绝服务的可能性 - 如果在一台机器上的操作可以迫使另一台机器无法使用，这可以用来防止合法用户在某些情况下重新获得控制权.

Also, bear in mind the possibility of Denial of Service - if an action on one machine can force another machine to be unusable this could be use to prevent a legitimate user from taking control back in certain scenarios.

这篇关于“在这台电脑上记住我"- 它应该如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！