密码是否存储在Cookie中？ [英] Are passwords stored in cookies?

问题描述

查看gmail和facebook我想知道，当你注销，他们存储您的密码和帐户信息，你有保持我登录的功能。

Looking at gmail and facebook I was wondering where do they store your password and account info when you log off and you have the function "Keep me signed in" on.

我知道他们将它们存储在cookie中，但是这个hackable / stealing？

I know they store it in cookies but isnt this hackable/stealable? How safe is this system and where is this information stored?

推荐答案

它们通过加密保存密码 code>它或他们使用一些随机标记，不能有人访问机器副本，并在另一台机器上使用该cookie登录为该用户。
以下是主要使用的过程--intage
- 当用户成功登录记住我选中，除了标准会话管理cookie之外，还会发出一个登录cookie $
- 登录cookie包含用户的用户名和一个适当大的空间中的随机数（以下称为令牌）。用户名和令牌作为一对存储在数据库表中。
$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ 。

- 如果该对存在，则认为用户已通过身份验证。从数据库中删除使用的令牌。系统会生成一个新令牌，并将其与用户名一起存储在数据库中，并通过新的登录cookie发布给用户。

- 如果不存在，则忽略登录Cookie。
- 仅通过此机制进行身份验证的用户不能访问某些受保护的信息或功能，例如更改密码，查看个人身份信息或花钱。要执行这些操作，用户必须首先成功提交正常的用户名/密码登录表单。

- 由于此方法允许用户具有来自不同浏览器或计算机的多个记忆登录，因此提供了一种机制用户可以在单个操作中清除所有记住的登录信息。

they stores password by encrypting it or they uses some random token, couldn't someone with access to a machine copy and use that cookie on another machine to login as that user. following is the procedure mainly used-
-When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie
-The login cookie contains the user's username and a random number (the "token" from here on) from a suitably large space. The username and token are stored as a pair in a database table.
-When a non-logged-in user visits the site and presents a login cookie, the username and token are looked up in the database.
-If the pair is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username, and issued to the user via a new login cookie.
-If the pair is not present, the login cookie is ignored.
-Users that are only authenticated via this mechanism are not permitted to access certain protected information or functions such as changing a password, viewing personally identifying information, or spending money. To perform those operations, the user must first successfully submit a normal username/password login form.
-Since this approach allows the user to have multiple remembered logins from different browsers or computers, a mechanism is provided for the user to erase all remembered logins in a single operation.

这篇关于密码是否存储在Cookie中？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！