这是贯彻落实“记住我”功能,以合理的方式 [英] Is this a reasonable way to implement 'remember me' functionality
问题描述
如果用户登录到该网站,并说记住我,我们得到了用户的唯一标识,与RijndaelManaged的有256的密钥大小加密这一点,并把这个在说的一组过期一的HttpOnly的cookie。 120天,期满刷新每个成功的请求到服务器。
If a user logs into the site, and says 'remember me', we get the unique identifier for the user, encrypt this with RijndaelManaged with a keysize of 256 and place this in a httponly cookie with a set expiration of say.. 120 days, the expiration is refreshed each successful request to the server.
可选我们生成基于IPv4地址(最后两个字节)。
Optionally we generate the initialization vector based upon the user agent and part of the ipv4 address (the last two octets).
显然,那里有内置到这个没有真正过期的系统,用户可以在技术上永远使用这个加密的密钥(鉴于我们不改变服务器端密钥)。
Obviously theres no real expiration system built into this, the user could technically use this encrypted key forever (given we don't change the server side key)..
我认为的事实,让这个功能,我需要让用户可以绕过登录,给我的唯一的ID(这是一个GUID),我想通了GUID独显真的很难猜到真正的用户的GUID,但将离开该网站,打开botnots产生的GUID(我不知道它是多么的现实让他们找到一个合法的GUID)攻击..所以这就是为什么那里有所在的服务器知道加密密钥加密和任选的四是特定的浏览器和IP部分
I considered the fact that to allow this feature I need to allow the user to be able to bypass the login and give me their unique id (which is a guid), I figured the guid alone was really hard to guess a real users guid, but would leave the site open to attack by botnots generating guids (I've no idea how realistic it is for them to find a legit guid).. so this is why theres encryption where the server knows the encryption key, and optionally the iv is specific to the browser and ip part.
我应该考虑在那里与用户关联的服务器的问题票不同的方法,所以服务器停留在到期控制这些票将有一个已知的截止日期?我真的很在乎过期?记得我是记得我毕竟?
Should I be considering a different approach where the server issues tickets associated to a user, and these tickets would have a known expiration date so the server stays in control of expiration? should I really care about expiration? remember me is remember me after all?
展望被谦卑),
干杯。
Looking forward to being humbled ;), Cheers.
推荐答案
<一个href=\"http://stackoverflow.com/questions/685298/securely-implementing-session-state-and-keep-me-logged-in-feature\">Very类似的问题。
你的问题的解决方案是在这博客文章
The solution to your question is in this blog post
永久登录cookie最佳
实践,描述了一个相对
安全的方法来实现
熟悉的记住我选项网页
网站。在这篇文章中,我提出了一个
改进,保留所有的
这种做法的好处也
使得有可能检测当
永久登录cookie一直
被攻击者窃取和使用。
"Persistent Login Cookie Best Practice," describes a relatively secure approach to implementing the familiar "Remember Me" option for web sites. In this article, I propose an improvement that retains all the benefits of that approach but also makes it possible to detect when a persistent login cookie has been stolen and used by an attacker.
由于Jacco说,在注释:在有关的安全的验证阅读深度信息<一个href=\"http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication-beta#477580\">The权威指南网站验证。
As Jacco says in the comments: for in depth info about secure authentication read The Definitive Guide To Website Authentication.
这篇关于这是贯彻落实“记住我”功能,以合理的方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
