保持登录最佳实践:cookie 中的用户名如何使其更安全? [英] Stay Logged In Best Practices: How does a username in the cookie make it more secure?
问题描述
这是另一个问题的一个分支:什么是最好的实施方式"'记住我'用于网站?
This is a branch of another question: What is the best way to implement "remember me" for a website?
最佳答案是实现这一点:http://jaspan.com/improved_persistent_login_cookie_best_practice
The top answer is to implement this: http://jaspan.com/improved_persistent_login_cookie_best_practice
总结:
使用一个随机数作为系列令牌,另一个作为登录令牌.将它们与用户名一起放在保持登录"cookie 中.分配第二个正常的会话 cookie.每次用户到达如果没有会话 cookie,则使用保持登录 cookie.发出一个新的,这次使用新的随机登录令牌,保持系列令牌相同.
Use a random number as a Series Token, and another as a Login Token. Place those in the Stay Logged In cookie, along with the username. Assign a second, normal Session cookie. Each time a user arrives without a Session cookie, consume the Stay Logged In cookie. Issue a new one, this time with a new random Login Token, keeping the Series Token the same.
为什么要包含用户名?这有什么帮助?系列令牌应该足以识别用户和系列.在这种方法中添加了系列令牌以防止 DoS 攻击,在这种攻击中,攻击者只需猜测所有用户名并一次点击所有站点,将所有人注销.但是为什么完全保留用户名是有意义的?
Why include the username? How is that helping? The Series Token should be enough to identify the user and series. The Series Token was added in this approach to prevent a DoS attack where an attacker just guesses all usernames and hits the site all at once, logging everyone out. But why does it make sense to leave the username in at all?
推荐答案
我的猜测:
用户名用于审计.如果您要求客户端将它与令牌一起发送以进行身份验证,那么您就知道哪个用户尝试进行身份验证.这允许您以某种理智的方式对错误的令牌做出反应.
The username is for audit. If you require the client to send it together with the token for authentication, then you know which user attempts to be authenticated. Which allows you to react in some sane way to the token being wrong.
如果您只在身份验证期间要求令牌,那么您不知道哪个用户实际尝试了它,并且在匹配时只授予某人访问权限但在失败时不能做任何事情.有人可以尝试盲目地跳过它们.
If you only ask for the token during auth, then you don't know which user actually tries it and on a match just grant someone access but can't do anything on fail. Someone can just try to blindly go over them.
考虑到这一点,假设我们决定同时使用用户名和令牌.现在,如果令牌错误,我们可以删除该用户的所有其他令牌.但这会将系统打开到 DOS.攻击者可以随意注销任何人.所以添加了那个系列.
With that in mind let's say we settle on using both username and token. Now if token is wrong we can remove all the other tokens for that user. But that opens up the system to DOS. Attacker can log out anyone at will. So for that series is added.
它不一定是用户名,其他一些可以识别用户的信息也可以.
It does not have to be username, some other info that will allow to identify the user will work too.
这篇关于保持登录最佳实践:cookie 中的用户名如何使其更安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
