PHP：记住我和安全？ [英] PHP: Remember Me and security?

问题描述

在我学习PHP支持Unicode的过程中，我一直在努力使我的记住我Cookie更安全一些。然而，有一些我不明白的东西和一些我自己的想法我想要一些建议和意见。

During the time I've spent taking breaks from learning how PHP supports Unicode I've been delving into making my "Remember Me" cookies a bit more secure. However there are a few things I don't understand and a few of my own musings I'd like some suggestions and opinions on.

1）是否有任何方法采用不涉及Cookie的记住我功能？好奇，因为存储认证cookie有明显的安全缺陷。不是说在一切都没有安全风险。

1) Is there any method to adopting a "Remember Me" feature that doesn't involve cookies? Curious since there are obvious security flaws in storing authentication cookies. Not that there aren't security risks in just about everything.

2）由于我不使用银行或高度敏感的信息，因此有必要要求用户输入他们的密码，地区？看起来，记住一个登录将是一个浪费，如果我们只是要求他们基本上登录，无论如何两分钟后。

2) Since I'm not working with a bank or "highly sensitive" information, is it necessary to require users to enter their passwords for the more "high profile" areas? It seems that remembering a login would be a waste if we're just going to ask them to essentially log in anyway two minutes later.

3）存储认证cookie（除了不是）的绝对最好的方法是什么？我当前编码的区域设置单个令牌在cookie（哈希使用time（），他们的用户代理，remote_addr和盐 - sha256）。当所述用户回来时，它检查'会话'表中的令牌，然后匹配IP到IP以登录它们。如果令牌存在但IP不匹配，则以静默方式取消cookie并要求他们登录如果他们没有一个。

3) What's the absolute best method for storing an authentication cookie (aside from "not at all")? I have currently coded that area to set a single token in the cookie (hashed using time(), their user agent, remote_addr, and a salt - sha256). When said user comes back it checks the 'sessions' table for the token, then matches IP to IP to log them in. If the token is there but the IP doesn't match it silently unsets the cookie and asks them to log in as if they didn't have one.

再次感谢所有人。

推荐答案

1. 本质上，不。它需要在客户端一些存储;你无法知道客户是没有cookie（或类似的，如HTML 5客户端存储）的客户端。

1. Essentially, no. It requires some sort of storage on the client side; you have no way to know who a client is without a cookie (or similar, like HTML 5 client-side storage).

这是一个折衷你必须决定。最低限度，旧密码或其他形式的确认（电子邮件？）应该需要更改为新的。

That is a trade-off you must decide. Minimum, the old password or some other form of confirmation (e-mail?) should be required to change it to a new one.

绝对防止cookie窃取和随后的模拟，除非您加密所有的通信。这是唯一的安全方法。 当然，将IP，用户代理等关联到cookie可能是有帮助的，但它更容易，更安全依赖加密。（我误解了这里的重点 - 值的cookie是随机的，所以你应该改变你的生成方法，以减少可预测）

You can't absolutely protect against cookie theft and subsequent impersonation unless you encrypt all the communications. That's the only secure method. Sure, associating an IP, user-agent etc. to the cookie might be helpful, but it's easier and much more secure to rely on encryption. (I misunderstood the point here -- what's important in the value of the cookie is that it's random, so you ought to change your generational method to be less predictable)

这篇关于PHP：记住我和安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！