安全Cookie？ [英] Secure Cookies?

问题描述

我正在将我的（未发行的）CMS从 $ _ SESSION 慢慢移至 $ _ COOKIE 。互联网上的内容似乎偏向于 $ _ SESSION （我假设因为易用性）。我正在寻找有关保存Cookie的安全提示。目前，我存储（有点相似的WordPress）一个cookie的格式：

I am slowly moving my (unreleased) CMS from $_SESSION to $_COOKIE. Content on the internet seems to be biased more towards $_SESSION (I assume because ease of use). I am looking for security tips on saving cookies. Currently, I am storing (somewhat similar WordPress) a cookie in the format:

'logged_in_％hash_key％'=> username |％hash_password％

我的％hash_key％在每次登录锁定后，重新生成（如果用户选择）c $ c> md5（MYSALT。something.UNIQUE_KEY）和 UNIQUE_KEY 可能存储了Cookie的其他计算机。它是一个随机的6个字符的字符串。

Where my %hash_key% is md5(MYSALT."something".UNIQUE_KEY) and UNIQUE_KEY is regenerated (if the user chooses) after each login to lock out other computers that might have a cookie stored. It is a random 6-character string.

％hash_password％ ）。

我必须知道 $ _ COOKIE 的键|并查看用户名和密码。

I must know the key of the $_COOKIE (obviously), then I split the string by "|" and look at the username and password. If something doesn't match, I destroy the cookies.

我的问题是：您有关于以安全格式存储Cookie的其他提示，或者这个好？

我还为每个请求的操作生成一个随机数。例如，我为'delete'创建了一个nonce，我希望在我的 $ _ REQUEST 中获得nonce。

I also generate a nonce for each requested action. For example, I create a nonce for 'delete' and I expect to get that nonce back in my $_REQUEST. I don't log the user out if I get an incorrect response, but I don't do anything.

正如meagar指出的，我知道COOKIES是

推荐答案

我看到了一个的评论，你想要一个登录记住我。一个简单的解决方案只是增加$ _SESSION的过期时间（或实现自己的会话算法）。然而，这通常被认为是不利的。这是一篇关于如何创建安全的好文章，记得我：

I saw from one of your comments that you wanted a login with Remember Me. A simple solution is just to increase the expiration time of $_SESSION (or implement your own session algorithm). However, that is generally considered unfavorable. This is a great article on how you would create a secure remember me:

http：// jaspan.com/improved_persistent_login_cookie_best_practice

基本思想是：

Cookie：

• 用户名/电子邮件/ etc


• 令牌


• 系列

令牌在每次用户加载页面时都会更改。然而，系列在记住我的整个时期都保持不变。您将在数据库（可能是MySQL）中保存系列表和令牌。

The token is changed every time the user loads a page. However, the series remains the same for the entire duration of the remember me period. You would keep a table of the series and the token in a database (possibly MySQL).

我不太好解释它，所以我强烈建议您阅读文章。

I'm not very good at explaining it, so I highly encourage you to read the article.

这篇关于安全Cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！