实现“记住我”的最佳方式是什么?一个网站? [英] What is the best way to implement "remember me" for a website?
问题描述
我希望我的网站有一个复选框,用户可以点击,以便他们在每次访问我的网站时不必登录。我知道我需要在他们的计算机上存储一个cookie来实现这一点,但该cookie应该包含什么?
I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. I know I will need to store a cookie on their computer to implement this, but what should be contained in that cookie?
此外,有没有常见的错误,注意保持这个cookie不出现安全漏洞,这可以避免,同时仍然给予'记住我'功能? / p>
Also, are there common mistakes to watch out for to keep this cookie from presenting a security vulnerability, which could be avoided while still giving the 'remember me' functionality?
推荐答案
改进持久性登录Cookie最佳实践
这里作为最佳做法(2006)或此处描述的更新策略(2015):
Improved Persistent Login Cookie Best Practice
You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):
- 除了标准会话管理cookie之外,当用户成功登录记住我时,还会发出登录cookie 。
- 登录Cookie包含系列标识符和令牌。系列和令牌是来自适当大的空间的不可猜测的随机数。两者都存储在数据库表中,令牌被哈希处理(sha256很好)。
- 当一个未登录的用户访问网站并登录Cookie,系列标识符在数据库中查找。
- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
- The login cookie contains a series identifier and a token. The series and token are unguessable random numbers from a suitably large space. Both are stored together in a database table, the token is hashed (sha256 is fine).
- When a non-logged-in user visits the site and presents a login cookie, the series identifier is looked up in the database.
- 如果系列标识符存在,令牌的散列与该系列的散列匹配标识符,则认为用户已认证。系统会生成新令牌,该令牌的新哈希值将存储在旧记录上,并向用户发出新的登录Cookie(可以重新使用系列标识符)。
- 如果系列存在,但令牌不匹配,则假设为盗窃。
- 如果用户名和系列不存在,则登录Cookie会被忽略。
- If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it's okay to re-use the series identifier).
- If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
- If the username and series are not present, the login cookie is ignored.
这种方法提供深度防御。如果有人设法泄漏数据库表,它不会给攻击者敞开的门户冒充用户。
This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.
这篇关于实现“记住我”的最佳方式是什么?一个网站?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!