实现“记住我”的最佳方式是什么？一个网站？ [英] What is the best way to implement "remember me" for a website?

问题描述

我希望我的网站有一个复选框，用户可以点击，以便他们在每次访问我的网站时不必登录。我知道我需要在他们的计算机上存储一个cookie来实现这一点，但该cookie应该包含什么？

I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. I know I will need to store a cookie on their computer to implement this, but what should be contained in that cookie?

此外，有没有常见的错误，注意保持这个cookie不出现安全漏洞，这可以避免，同时仍然给予'记住我'功能？ / p>

Also, are there common mistakes to watch out for to keep this cookie from presenting a security vulnerability, which could be avoided while still giving the 'remember me' functionality?

推荐答案

改进持久性登录Cookie最佳实践

这里作为最佳做法（2006）或此处描述的更新策略（2015）：

Improved Persistent Login Cookie Best Practice

You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):

1. 除了标准会话管理cookie之外，当用户成功登录记住我时，还会发出登录cookie 。


2. 登录Cookie包含系列标识符和令牌。系列和令牌是来自适当大的空间的不可猜测的随机数。两者都存储在数据库表中，令牌被哈希处理（sha256很好）。


3. 当一个未登录的用户访问网站并登录Cookie，系列标识符在数据库中查找。
   
   

1. When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
2. The login cookie contains a series identifier and a token. The series and token are unguessable random numbers from a suitably large space. Both are stored together in a database table, the token is hashed (sha256 is fine).
3. When a non-logged-in user visits the site and presents a login cookie, the series identifier is looked up in the database.

1. 如果系列标识符存在，令牌的散列与该系列的散列匹配标识符，则认为用户已认证。系统会生成新令牌，该令牌的新哈希值将存储在旧记录上，并向用户发出新的登录Cookie（可以重新使用系列标识符）。


2. 如果系列存在，但令牌不匹配，则假设为盗窃。


3. 如果用户名和系列不存在，则登录Cookie会被忽略。

1. If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it's okay to re-use the series identifier).
2. If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
3. If the username and series are not present, the login cookie is ignored.

这种方法提供深度防御。如果有人设法泄漏数据库表，它不会给攻击者敞开的门户冒充用户。

This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.

这篇关于实现“记住我”的最佳方式是什么？一个网站？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！