在 cookie 中保存凭据/令牌? [英] Saving credentials / token in a cookie?
问题描述
我已设法开始进行身份验证,我知道该身份验证将令牌 (JWT) 返回给客户端.这个令牌有一个到期日期/时间,所以我正在考虑将令牌保存在 cookie 中,以便对未来的登录进行身份验证,但这可能行不通.
I have managed to get working the authentication which i know return a token (JWT) to the client. This token has an expiration date/time so I was thinking about saving the token in a cookie so future logins were authenticated but this is probably not going to work.
然后我想将用户名和密码保存在 cookie 中,尽管我知道不推荐这样做??
I then though about saving the username and password in a cookie although i know this isn't recommended??
目前我有一个接受用户名和密码的表单,成功登录将提供一个用于访问其他端点的令牌.
Currently i have a form that accepts a username and password, a successful login will provide a token which is used to access other endpoints.
表单需要包含记住我",以便自动登录.
The form needs to include a "Remember Me" so an automatic login can occur.
实现这一目标的最佳方法是什么?
What is the best way of achieving this ?
我是否应该将用户名和密码存储在 cookie 中,如果不是,我如何在用户下次访问我的站点时自动进行身份验证.我提供的令牌即将过期,所以即使存储它有任何意义吗?
Should i be storing the username and password in the cookie, if not how do i automatically authenticate the next time the user arrives to my site. The token that i provide is going to be expired so is there any point in even storing this ?
提前致谢
推荐答案
不要在 cookie 中存储用户名或密码.即使 cookie 是加密的,最好存储一个像 cookie 中的令牌那样过期时间短的凭证,而不是像密码那样具有更长保质期的凭证.
Do not store the user name or password in the cookie. Even if the cookie is encrypted, it is better to store a credential with short expiration time like the token in a cookie than a credential like password which has more shelf life.
即使在 ASP.NET Web 窗体或 MVC 世界(窗体身份验证)中,通常记住我"也仅在 cookie 过期之前有效.记住我"并不意味着永远记住我,记住必须有一个有限的时间段.该时间可以从 cookie 中得出.您可以将 JWT 放入 cookie 并将 cookie 的生命周期设置为与 JWT 相同,比如一个小时.当用户在该时间内返回您的应用程序时,cookie 不会过期并且用户会自动登录.否则,他们必须重新登录.不要考虑存储用户名 - 密码并系统地登录.让用户输入凭据,这种方法会更安全.顺便说一句,请确保 cookie 已加密并且是仅 HTTP cookie.
Even in the ASP.NET Web Forms or MVC world (Forms Authentication), typically "Remember me" works only until the time the cookie expires. "Remember me" does not mean remember me for ever and there must be a finite time period for remembering. That time can be derived from a cookie. You can put the JWT in the cookie and set the cookie's life time same as JWT, say an hour. When the user comes back to your app within that time, the cookie will not expire and the user is automatically logged in. Otherwise, they have to re-login. Do not think about storing the user name - password and systematically logging in. Let the user enter the credentials and that approach will be more secure. BTW, make sure cookie is encrypted and is an HTTP only cookie.
此机制类似于表单身份验证.您将使用 JWT 代替身份验证票证.您需要拥有自己的 HttpModule 或消息处理程序来执行此操作并为请求建立身份,而不是 FAM 读取 cookie.
This mechanism will be similar to Forms Authentication. In place of the authentication ticket, you will use your JWT. Instead of FAM reading the cookie, you will need to have your own HttpModule or a message handler to do that and establish the identity for the requests.
这篇关于在 cookie 中保存凭据/令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
