安全Cookie? [英] Secure Cookies?
问题描述
我正在将我的(未发行的)CMS从 $ _ SESSION
慢慢移至 $ _ COOKIE
。互联网上的内容似乎偏向于 $ _ SESSION
(我假设因为易用性)。我正在寻找有关保存Cookie的安全提示。目前,我存储(有点相似的WordPress)一个cookie的格式:
I am slowly moving my (unreleased) CMS from $_SESSION
to $_COOKIE
. Content on the internet seems to be biased more towards $_SESSION
(I assume because ease of use). I am looking for security tips on saving cookies. Currently, I am storing (somewhat similar WordPress) a cookie in the format:
'logged_in_%hash_key%'=> username |%hash_password%
我的%hash_key%
在每次登录锁定后,重新生成(如果用户选择)c $ c> md5(MYSALT。something.UNIQUE_KEY)和 UNIQUE_KEY
可能存储了Cookie的其他计算机。它是一个随机的6个字符的字符串。
Where my %hash_key%
is md5(MYSALT."something".UNIQUE_KEY)
and UNIQUE_KEY
is regenerated (if the user chooses) after each login to lock out other computers that might have a cookie stored. It is a random 6-character string.
%hash_password%
)。
我必须知道 $ _ COOKIE
的键|并查看用户名和密码。
I must know the key of the $_COOKIE
(obviously), then I split the string by "|" and look at the username and password. If something doesn't match, I destroy the cookies.
我的问题是:您有关于以安全格式存储Cookie的其他提示,或者这个好?
我还为每个请求的操作生成一个随机数。例如,我为'delete'创建了一个nonce,我希望在我的 $ _ REQUEST
中获得nonce。
I also generate a nonce for each requested action. For example, I create a nonce for 'delete' and I expect to get that nonce back in my $_REQUEST
. I don't log the user out if I get an incorrect response, but I don't do anything.
正如meagar指出的,我知道COOKIES是
推荐答案
我看到了一个的评论,你想要一个登录记住我。一个简单的解决方案只是增加$ _SESSION的过期时间(或实现自己的会话算法)。然而,这通常被认为是不利的。这是一篇关于如何创建安全的好文章,记得我:
I saw from one of your comments that you wanted a login with Remember Me. A simple solution is just to increase the expiration time of $_SESSION (or implement your own session algorithm). However, that is generally considered unfavorable. This is a great article on how you would create a secure remember me:
http:// jaspan.com/improved_persistent_login_cookie_best_practice
基本思想是:
Cookie:
- 用户名/电子邮件/ etc
- 令牌
- 系列
令牌在每次用户加载页面时都会更改。然而,系列在记住我的整个时期都保持不变。您将在数据库(可能是MySQL)中保存系列表和令牌。
The token is changed every time the user loads a page. However, the series remains the same for the entire duration of the remember me period. You would keep a table of the series and the token in a database (possibly MySQL).
我不太好解释它,所以我强烈建议您阅读文章。
I'm not very good at explaining it, so I highly encourage you to read the article.
这篇关于安全Cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!