我读过很多关于这个论点的老问题,我认为最好的做法是用 username
设置一个 cookie。 , user_id
和一个随机 token 。
相同 cookie 的数据在创建 cookie 时存储在 DB 中,当用户拥有 cookie 时,它们会被比较(cookie 数据、DB 数据)。
真诚地,如果这是真正的最佳实践,我无法理解安全逻辑在哪里。
窃取 cookie 的攻击者拥有与原始用户相同的 cookie:|
忘记了一些步骤? :P
最佳答案
您永远不应该将用户密码存储在 cookie 中,即使它是经过哈希处理的!!
看看这篇博文:
引用:
- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.[2]
- The login cookie contains the user's username, a series identifier, and a token. The series and token are unguessable random numbers from a suitably large space. All three are stored together in a database table.
- When a non-logged-in user visits the site and presents a login cookie, the username, series, and token are looked up in the database.
- If the triplet is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.
- If the username and series are present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
- If the username and series are not present, the login cookie is ignored.
关于security - 还记得我的 Cookie 最佳实践吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/7214458/