PHP永久登录 - 我补发的每个页面验证之后饼干吗？ [英] PHP persistent login - Do i reissue a cookie after every page authentication?

问题描述

我已经建立了建立在这些原则（从持久登录应用程序： http://jaspan.com/improved_persistent_login_cookie_best_practice）

  

  
1. 当用户成功登录与记住选中，登录cookie中除了标准的会话管理的cookie发行。[2]

  
2. 登录cookie包含用户的用户名，一系列的标识符和令牌。该系列和令牌从适当大空间不可猜测的随机数。所有三个一起存储在数据库表中。

  
3. 当一个非登录用户访问该网站，presents一个登录cookie，用户名，系列和令牌是在数据库中查找。

  
4. 如果三重为present，认为用户认证。所使用的令牌从数据库中删除。一个新的令牌生成，存储与用户名和同系列的标识符，并且包含所有三是向用户发出一个新的登录cookie数据库。

  
5. 如果用户名和系列present但令牌不匹配，则假定为盗窃。用户收到了一份措辞强烈的警告和所有用户的会话记忆被删除。

  
6. 如果用户名和系列都没有present，登录cookie将被忽略。

  

据我所知，我重新发一个新的令牌后的初期认证成功。但我以后上通过继续检查该永久性Cookie需要身份验证以及其他页面重新发出一个新的令牌。

还是我，最初的验证成功后，标志着用户的登录并从会话一点向前仅验证和保存，当用户试图在本届会议后访问的网站，最初的重发饼干期满（即关闭浏览器等）？

解决方案

我投给了第二个选项。如果不出意外，不断更新的权威性cookie是一个性能命中。 （小，但仍然没有必要）。在成功登录后，写的cookie。一旦用户在该网站只使用会话值。

I have built a persistent login application built on these principles (From : http://jaspan.com/improved_persistent_login_cookie_best_practice)

1. When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.[2]
2. The login cookie contains the user's username, a series identifier, and a token. The series and token are unguessable random numbers from a suitably large space. All three are stored together in a database table.
3. When a non-logged-in user visits the site and presents a login cookie, the username, series, and token are looked up in the database.
4. If the triplet is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.
5. If the username and series are present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
6. If the username and series are not present, the login cookie is ignored.

I understand that i re-issue a new token after the initial authentication is successful. But do I re-issue a new token after that on other pages that require authentication as well by continuing to check for that persistent cookie.

Or do I, after the initial successful authentication, mark the user as logged in and only authenticate from that point forward by a session and save that initial re-issued cookie for when the user tries to access the site after the current session expires (i.e. closed browser, etc)?

解决方案

I'd vote for the second option. If nothing else, continually updating the auth cookie is a performance hit. (small but still unnecessary). At successful login, write the cookie. Once the user is in the site use only the session values.

这篇关于PHP永久登录 - 我补发的每个页面验证之后饼干吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！