我应该存储在Cookie中以实现“记住我”在用户登录期间 [英] What should I store in cookies to implement "Remember me" during user login

问题描述

我为我的网站设置了登录系统，存储在数据库中的用户详细信息为 userid （每个用户和标识符唯一），电子邮件地址（唯一），显示名称（不唯一），密码和会员。

存储在饼干？我正在考虑只将userid存储在cookie中的到期日期，然后如果用户在注册后重新访问我的网站检查cookie并登录他（这种不对我看），并销毁cookie如果他决定注销。

*一点解释也会非常有帮助。感谢

I have a login system in place for my website, the details of the user which are stored in the database are userid(unique for every user and identifier), email address(unique), display name(not unique), password and membersince.
Now what should I store in the cookies? I was thinking about storing just the userid in the cookie with an expiration date and then if the user revisits my website after signing up check for the cookie and log him in( which kind of doesn't look right to me) and destroy the cookie if he decides to log out.
*A little explanation would also be very helpful. Thanks

推荐答案

如果您使用只有您的应用程序知道的密钥签名，您只能将该用户ID存储在Cookie中。否则，用户可能将cookie更改为任何内容，并以其他人身份登录。所以，如果你想存储userid，用密钥存储用户id的哈希值（理想情况下使用 HMAC ），并且当您想要记录它们时，计算相同的散列并将其与来自cookie的散列进行比较。另一个解决方案是生成一个随机令牌，将其存储在数据库中并在cookie中使用它。如果它很长和随机足够，有很少的机会，有人会猜到另一个人的令牌。

You can only ever store the userid in a cookie if you sign it with a secret key that only your applications knows. Otherwise it's possible for the user to change the cookie to anything and login as somebody else. So, if you want to store the userid, store also a hash of the user id with the secret key (ideally using HMAC) and when you want to log them in, calculate the same hash and compare it to the hash from the cookie. Another solution is to generate a random token, store it in the database and use that in the cookie. If it's long and random enough, there is very little chance somebody would guess another person's token.

这篇关于我应该存储在Cookie中以实现“记住我”在用户登录期间的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！