这是我的网络应用程序“记住我"功能的合法实现吗? [英] Is this a legitimate implementation of a 'remember me' function for my web app?
问题描述
我正在尝试向我的网络应用程序添加记住我"功能,让用户在浏览器重新启动之间保持登录状态.我想我得到了大部分.我在后端使用谷歌应用引擎,它允许我使用 java servlet.下面是一些用于演示的伪代码:
I'm trying to add a "remember me" feature to my web app to let a user stay logged in between browser restarts. I think I got the bulk of it. I'm using google app engine for the backend which lets me use java servlets. Here is some pseudo-code to demo:
public class MyServlet {
public void handleRequest() {
if (getThreadLocalRequest().getSession().getAttribute("user") != null) {
// User already has session running for them.
}
else {
// No session, but check if they chose 'remember me' during
// their initial login, if so we can have them 'auto log in'
// now.
Cookie[] cookies = getThreadLocalRequest().getCookies();
if (cookies.find("rememberMePlz").exists()) {
// The value of this cookie is the cookie id, which is a
// unique string that is in no way based upon the user's
// name/email/id, and is hard to randomly generate.
String cookieid = cookies.find("rememberMePlz").value();
// Get the user object associated with this cookie id from
// the data store, would probably be a two-step process like:
//
// select * from cookies where cookieid = 'cookieid';
// select * from users where userid = 'userid fetched from above select';
User user = DataStore.getUserByCookieId(cookieid);
if (user != null) {
// Start session for them.
getThreadLocalRequest().getSession()
.setAttribute("user", user);
}
else {
// Either couldn't find a matching cookie with the
// supplied id, or maybe we expired the cookie on
// our side or blocked it.
}
}
}
}
}
// On first login, if user wanted us to remember them, we'd generate
// an instance of this object for them in the data store. We send the
// cookieid value down to the client and they persist it on their side
// in the "rememberMePlz" cookie.
public class CookieLong {
private String mCookieId;
private String mUserId;
private long mExpirationDate;
}
好吧,这一切都说得通.唯一可怕的是,如果有人发现了 cookie 的价值,会发生什么?恶意个人可以在他们的浏览器中设置该 cookie 并访问我的网站,并且基本上以与其关联的用户身份登录!
Alright, this all makes sense. The only frightening thing is what happens if someone finds out the value of the cookie? A malicious individual could set that cookie in their browser and access my site, and essentially be logged in as the user associated with it!
同样,我想这就是为什么 cookie id 必须难以随机生成的原因,因为恶意用户不必窃取某人的 cookie - 他们可以随机分配 cookie 值并开始以任何用户身份登录碰巧与该 cookie 相关联(如果有),对吗?
On the same note, I guess this is why the cookie ids must be difficult to randomly generate, because a malicious user doesn't have to steal someone's cookie - they could just randomly assign cookie values and start logging in as whichever user happens to be associated with that cookie, if any, right?
可怕的东西,我觉得我至少应该在客户端 cookie 中包含用户名,这样当它呈现给服务器时,除非用户名 + cookieid 在 DataStore 中匹配,否则我不会自动登录.
Scary stuff, I feel like I should at least include the username in the client cookie such that when it presents itself to the server, I won't auto-login unless the username+cookieid match in the DataStore.
任何评论都会很棒,我对此很陌生,并试图找出最佳实践.我不是在写一个包含任何敏感个人信息的网站,但我想尽量减少任何滥用的可能性,
Any comments would be great, I'm new to this and trying to figure out a best practice. I'm not writing a site which contains any sensitive personal information, but I'd like to minimize any potential for abuse all the same,
谢谢
推荐答案
唯一可怕的是如果有人发现了 cookie 的价值会发生什么?恶意个人可以在他们的浏览器中设置该 cookie 并访问我的网站,并且基本上以与其关联的用户身份登录!
The only frightening thing is what happens if someone finds out the value of the cookie? A malicious individual could set that cookie in their browser and access my site, and essentially be logged in as the user associated with it!
没错.这也适用于所有标准"会话 cookie,例如 JSP/Servlet webapps 中的 jsessionid 和 PHP webapps 中的 PHPSESSID 等等.然而,它们的寿命很短,不会造成伤害.对于长期存在的 cookie,只需确保 cookie 值是唯一的(使用 DB 的 PK/UK)、长(最多 255 个字符)、难以猜测(无模式、无 MD5 哈希)并且可以包含所有可打印的 ASCII 字符(在 0x20-0x7E 范围内).
That's correct. This also applies to all "standard" session cookies such as jsessionid in JSP/Servlet webapps and PHPSESSID in PHP webapps and so on. They however have such a short lifetime that it doesn't harm. For long-living cookies, just ensure that the cookie value is unique (use DB's PK/UK for it), long (go up to 255 chars), hard-to-guess (no patterns, no MD5 hashes) and can contain all printable ASCII characters (in 0x20-0x7E range).
您还经常看到仅在此 IP 地址上记住我"选项,以便它基本上锁定到唯一的 IP 地址.您可以通过 <获取它代码>HttpServletRequest#getRemoteAddr().
You also see often an option "Remember me on this IP address only" so that it's basically locked to an unique IP address. You can obtain it by HttpServletRequest#getRemoteAddr().
这篇关于这是我的网络应用程序“记住我"功能的合法实现吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
