基于 cookie 的身份验证如何工作? [英] How does cookie based authentication work?

问题描述

谁能给我一步一步地描述基于 cookie 的身份验证是如何工作的?我从来没有做过任何涉及身份验证或 cookie 的事情.浏览器需要做什么?服务器需要做什么?按什么顺序?我们如何保证安全?

Can someone give me a step by step description of how cookie based authentication works? I've never done anything involving either authentication or cookies. What does the browser need to do? What does the server need to do? In what order? How do we keep things secure?

我一直在阅读有关不同类型的身份验证和 cookie 的内容，但我想要有关如何一起使用这两者的基本描述 - 我只看到它们经常一起使用，但找不到有关如何使用的描述.

I've been reading about different types of authentication and about cookies but I would like a basic description of how to use the two together- I've only read that they are often used together but could not find a description of how.

推荐答案

cookie 基本上只是字典中的一个项目.每个项目都有一个键和一个值.对于身份验证，密钥可能类似于用户名"，而值则是用户名.每次您向网站发出请求时，您的浏览器都会在请求中包含 cookie，主机服务器将检查 cookie.所以身份验证可以像这样自动完成.

A cookie is basically just an item in a dictionary. Each item has a key and a value. For authentication, the key could be something like 'username' and the value would be the username. Each time you make a request to a website, your browser will include the cookies in the request, and the host server will check the cookies. So authentication can be done automatically like that.

要设置 cookie，您只需将其添加到服务器在请求后发回的响应中.浏览器将在收到响应后添加 cookie.

To set a cookie, you just have to add it to the response the server sends back after requests. The browser will then add the cookie upon receiving the response.

您可以为 cookie 服务器端配置不同的选项，例如过期时间或加密.加密的 cookie 通常称为签名 cookie.基本上服务器对字典项中的键和值进行加密，因此只有服务器可以使用这些信息.这样 cookie 就会是安全的.

There are different options you can configure for the cookie server side, like expiration times or encryption. An encrypted cookie is often referred to as a signed cookie. Basically the server encrypts the key and value in the dictionary item, so only the server can make use of the information. So then cookie would be secure.

浏览器将保存服务器设置的 cookie.在浏览器向该服务器发出的每个请求的 HTTP 标头中，它将添加 cookie.它只会为设置它们的域添加 cookie.Example.com 可以设置 cookie 并在 HTTP 标头中添加选项，以便浏览器将 cookie 发送回子域，例如 sub.example.com.浏览器将 cookie 发送到不同的域是不可接受的.

A browser will save the cookies set by the server. In the HTTP header of every request the browser makes to that server, it will add the cookies. It will only add cookies for the domains that set them. Example.com can set a cookie and also add options in the HTTP header for the browsers to send the cookie back to subdomains, like sub.example.com. It would be unacceptable for a browser to ever sends cookies to a different domain.

这篇关于基于 cookie 的身份验证如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！