如何让用户登录我的网站数月? [英] How do I keep a user logged into my site for months?

问题描述

我正在使用 OpenID.如何让用户在关闭浏览器窗口后仍能长时间保持登录状态?

I'm using OpenID. How do I make it so that the user stays logged in for a long time even after closing the browser window?

如何存储和访问用户的User 对象?

How do I store and get access to the user's User object?

基本上，我想我只是不太了解 Java 中的会话是如何工作的.

Basically, I guess I just don't really understand how sessions work in Java.

推荐答案

所以你实际上想要一个在这台电脑上记住我"选项?这实际上与 OpenID 部分无关.这是一种与语言无关的方法:

So you actually want like a "Remember me on this computer" option? This is actually unrelated to OpenID part. Here's a language-agnostic way how you can do it:

• 首先创建一个至少包含 cookie_id 和 user_id 列的数据库表.如有必要，还可以添加 cookie_ttl 和 ip_lock.我猜列名不言自明.

• First create a DB table with at least cookie_id and user_id columns. If necessary also add a cookie_ttl and ip_lock. The column names speaks for itself I guess.

在首次登录时(如有必要，仅在选中记住我"选项的情况下)，生成一个长的、唯一的、难以猜测的密钥(位于 与用户无关)代表 cookie_id 并将其与 user_id 一起存储在数据库中.将 cookie_id 存储为具有已知 cookie 名称的 cookie 的 cookie 值，例如记住.给 cookie 一个很长的生命周期，例如一年.

On first-time login (if necessary only with the "Remember me" option checked), generate a long, unique, hard-to-guess key (which is in no way related to the user) which represents the cookie_id and store this in the DB along with the user_id. Store the cookie_id as cookie value of a cookie with known cookie name, e.g. remember. Give the cookie a long lifetime, e.g. one year.

在每个请求中，检查用户是否已登录.如果没有，则检查与 cookie 名称 remember 关联的 cookie 值 cookie_id.如果它在那里并且根据 DB 是有效的，那么自动登录与 user_id 关联的用户并再次推迟 cookie 年龄，如果有的话，还有 DB 中的 cookie_ttl.

On every request, check if the user is logged in. If not, then check the cookie value cookie_id associated with the cookie name remember. If it is there and it is valid according the DB, then automagically login the user associated with the user_id and postpone the cookie age again and if any, also the cookie_ttl in DB.

在 Java/JSP/Servlet 术语中，使用 HttpServletResponse#addCookie() 添加一个 cookie 和 HttpServletRequest#getCookies() 获取 cookie.您可以在 Filter 中进行所有首次检查，该过滤器侦听所需的资源，例如/* 或者可能更受限制.

In Java/JSP/Servlet terms, make use of HttpServletResponse#addCookie() to add a cookie and HttpServletRequest#getCookies() to get cookies. You can do all the first-time checking in a Filter which listens on the desired recources, e.g. /* or maybe a bit more restricted.

关于会话，这里不需要它.它的寿命比您需要的要短.仅使用它来放置已登录用户或找到"的用户名.当用户具有有效的 remember cookie 时.这样 Filter 可以只检查它在会话中的存在，然后不需要每次都检查 cookie.

With regard to sessions, you don't need it here. It has a shorter lifetime than you need. Only use it to put the logged-in user or the "found" user when it has a valid remember cookie. This way the Filter can just check its presence in the session and then don't need to check the cookies everytime.

这毕竟是相当直接的.祝你好运.

It's after all fairly straight forward. Good luck.

• 如何实现保持登录状态"；当用户登录到 Web 应用程序时
• servlet 如何工作?实例化、会话、共享变量和多线程

这篇关于如何让用户登录我的网站数月?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！