安全地实现会话状态和“保持登录"功能 [英] Securely implementing session state and 'keep me logged in' feature

问题描述

我想提高当前有关会话管理的应用程序的安全性，并且我希望用户在他们明确注销之前一直登录.

I would like to improve security on a current application regarding session management and I want the users to be logged in until they explicitly logout.

如何安全地实现这一点?

How does one implement that securely?

将会话信息保存在数据库中，例如 sessionid、ip、useragent?

Keep session information in database, like sessionid, ip, useragent?

请提供要求，可能是数据库布局、注意事项、提示和技巧.

Please provide the requirements, possibly a database layout, do's and don'ts, tips and tricks.

注意:我知道像 asp.NET、rails、codeigniter 等框架已经解决了这个问题，但这不是一个选择.实际上它是一个经典的asp应用程序.但我认为这个问题与特定语言无关.

Note: I know frameworks like asp.NET, rails, codeigniter, etc... already take care of that, but this is not an option. Actually it for a classic asp application. But I think this question does not relate to a specific language.

推荐答案

阅读 改进的持久登录 Cookie 最佳实践(文章和评论).

Read Improved Persistent Login Cookie Best Practice (both the article and comments).

这篇关于安全地实现会话状态和“保持登录"功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！