使用Cookie和会话变量的持久登录 [英] Persistent login using cookies and session variables
问题描述
我一直在研究在我的网站上实施持久登录的最好(最安全)的方法,并提出了以下建议:
I've been researching the best (and safest) ways to implement persistent logins on my website, and I've come up with the following:
用户登录,创建包含用户的ID /用户名和随机生成的数字(令牌)的cookie。令牌与用户ID /用户名一起存储在关系表中。每次加载仅成员页面时,将针对关系表检查此Cookie,如果它存在 与令牌匹配,则登录名有效,并且可以加载该页面。如果没有,那么登录无效,cookie被销毁,并提示用户登录。
When a user logs in, a cookie is created containing the user's ID/username, and a randomly generated number (token). The token is stored in a relational table along with the user ID/username. Every time a members-only page is loaded, this cookie is checked against the relational table, and if it exists and matches with the token, the login is valid and the page can load. If not, however, then the login is invalid, the cookie is destroyed, and the user is prompted to log in.
我在想...保存到数据库访问每次单页面加载,我也可以有一个会话变量持续,说,10分钟,并在浏览器关闭时自动销毁。如果会话是活动的,则它被刷新,并且用户可以继续。如果会话过期,但cookie仍然有效,则检查cookie,重置令牌,将新令牌存储在数据库中(同时删除旧令牌或将其存储在存档表中以供将来参考),并重置cookie使用新的令牌值。
I was thinking... to save on database access every single time a page is loaded, I could also have a session variable that lasts, say, 10 minutes, and is destroyed automatically when the browser closes. If the session is alive, then it's refreshed and the user can proceed. If the session expires, but the cookie is still valid, check the cookie, reset the token, store that new token in the database (while eliminating the old token, or storing it in an archives table for future reference), and reset the cookie using the new token value.
但是,会话将包含什么?这个会话怎么能不是简单地用一些JavaScript来伪造呢?也许会话包含一个单向加密哈希?将用于生成该哈希值(用户ID等)?
However, what would the session contain? And how could the session not simply be faked with some JavaScript? Perhaps the session contains a one-way encrypted hash? What would be used to generate that hash (user ID, etc.)?
我在这里停留在哪里。我得到cookie的东西,但使用临时会话(以避免重复调用数据库,每次一个页面加载)不说我。任何帮助?谢谢。
I'm kind of stuck on where to go from here. I get the cookie stuff, but using temporary sessions (to avoid repeated calls to the database every single time a page is loaded) eludes me. Any help? Thanks.
推荐答案
Cookie应该很好(一种替代方法是将其存储在HTTP标头中),但我不看到需要在cookie中存储用户名/ ID。令牌本身应该足够了。您可以使用 UUID 作为令牌。将其与用户名和last_access_timestamp一起存储在数据库表中。并且只在每个请求上发送令牌(在cookie或HTTP请求头中)。
Cookies should be fine (an alternative would be to store it in the HTTP header), however I don't see the need to store the username/ID in the cookie. The token itself should be enough. You can use a UUID as a token. Store that along with the username and a last_access_timestamp in the database table. And only send the token (in a cookie or in the HTTP request header) on every request. That's enough for implementing sessions in my opinion.
令牌会在用户成功登录时生成,存储在数据库中并传递给用户。每当用户访问网页时,令牌在请求中被传递并且被验证。如果有效,则会刷新last_acces_timestamp并且用户可以继续。验证中的查找将通过令牌完成,并使用用户名,您可以执行身份验证和授权。如果令牌无效或过期,则将用户转到登录页面。
A token is generated on a successful login of a user, stored in the database and passed to the user. Whenever a user accesses the webpage, the token is passen in the request and is validated. If valid the last_acces_timestamp is refreshed and the user can proceed. The lookup in the validation will be done by token and with the username you can do the authentication and authorizaton. If token is invalid or expired, forward the user to a login page.
可以使用cron作业或创建新会话。
Deleting expired sessions out of the db can be done periodically using a cron job or on creation of a new session.
出于性能原因,您可能会考虑将会话存储在内存中的hashmap中。
For performance reason you might think about storing the session in a hashmap in memory. Since it might be costly to always update the database.
也考虑使用HTTPS,防止用户嗅探令牌。
Also think about using HTTPS, to prevent people sniffing the token.
我已经解决了这个问题,几个月前:
Java自定义会话实现:已过期
I have solved this the following way, few months ago: Java Custom Session Implementation: Expired Sessions
这篇关于使用Cookie和会话变量的持久登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
