在Cookie中存储登录信息 [英] Storing login information in Cookies
问题描述
我想将用户的身份验证信息保存在浏览器cookie中以进行永久登录。他们说,它永远不会安全地存储任何秘密信息(如密码)在cookie中,但为了有一个选项,如记住密码,我认为没有任何其他选择。
I want to save user's authentication information in browser cookie for persistent login. As they say, its never safe to store any secret info (such as password) in cookie, but in order to have an option such as 'Remember Password', i think there is no any other choice.
所以,如果用户想要记住他的登录信息,并且如果我存储用户名(电子邮件)+不是密码,而是一些其他唯一的信息,如cookie中的HASHED DB ID。然后,我应该检查存储在cookie中的哈希ID与用户存储在Cookie中的电子邮件是否匹配。
我认为任何人都可以很容易地看到存储在浏览器中的cookie(例如在Firefox,选项 - > Cookie)。
So, if a user want to remember his login info, and if i store username (Email) + Not the password, but some other unique info, such as HASHED DB ID in the cookie. Then i should check if the hashed ID stored in cookie matches with user's email which is stored in Cookie. As I think anyone can very easily see the cookies stored in Browser (for example in Firefox, Options -> Cookies ).
所以这将是一样弱,为某人从其中保存的计算机读取cookie,然后在其他计算机设置cookie的信息,他会登录? (因为脚本会检查存储的电子邮件和哈希id与数据库,它会匹配)?
So would this be as weak as for someone to read the cookie from the computer where its saved, then on other computer set cookie with that information and he would be logged in? (As the script will check the stored email and hashed id with database and it will match)?
这种方法可以改进,而不存储其他信息在数据库会话ID等)?
感谢
Could this approach be bit improved without storing other information in database (such as session id etc) ? Thanks
推荐答案
还有另一个选项。
对于每个用户,在登录并请求记住时,创建一个长的随机字符串。
For each user, upon logging in and requesting to be remembered, create a long random string.
将此字符串连同userId一起存储在您提供给
在数据库中存储字符串的正确加密的散列。
Store this string, along with the userId, in the cookie you give to the user.
Store a properly salted hash of the string in your db.
如果用户提供了一个记住我的cookie,匹配随机字符串
If the user presents a remember-me cookie, match the random string to the hashed verifier you have in your database (just as if it where a password).
如果匹配 - >记录用户并创建一个新的记住我的密码cookie。
如果没有匹配 - >请求用户名和密码。
If it matches -> log the user in and create a new remember-me cookie for them.
If doen't match -> request username and password.
这篇关于在Cookie中存储登录信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
