問題描述

我想為用戶檢查自動登錄選項.基本上，這意味著 cookie 將存儲在客戶端.

I want to have an auto login option check for a user. Basically that means a cookie will be stored on the client side.

現(xiàn)在的問題是，如何確保 cookie 不會被欺騙/修改.

Now the question is, how do I make it secure so the cookie will can not be spoofed/modified.

我的一個朋友建議使用一個 db 表來存儲 session_id、用戶的 ip、瀏覽器信息等，然后在用戶再次訪問該網(wǎng)站時比較所有這些信息.

One of my friends suggest having a db table that stores the session_id, user's ip, browser info, etc and then compare it all that information once a user goes to the website again.

我覺得有一個單獨的桌子有點太麻煩了.還有另一種方法嗎?也許帶有令牌或類似的東西?

I feel like having a separate table for that is a bit too much trouble. Is there another way to do it? Maybe with tokens or something like that?

推薦答案

你想要這個臭名昭著的 cookie 越安全，它就越麻煩.如果您的用戶應該特別安全，您將不得不采用最麻煩的方法.

The more secure you want this infamous cookie, the more trouble it's going to be for you. If your users should be particularly secure, you will have to go with the most troublesome approach.

如果您想盡可能安全，您應該只接受帶有 https 的 cookie.如果 cookie 通過 http 被接受，它可以被嗅探和竊取.

You should only accept this cookie with https if you want to be as secure as possible. If the cookie is accepted over http, it can be sniffed and stolen.

我建議 cookie 根本沒有用戶數(shù)據(jù)(如您所建議的令牌).不幸的是，這將需要另一個表.當用戶登錄并選擇保持登錄"時，在此表中創(chuàng)建一個條目.該條目可以是任何無意義的值(例如 md5(uniqid('', true));.此令牌在數(shù)據(jù)庫中可以是唯一的并映射到用戶 ID.

I would recommend that the cookie have no user data at all (a token, as you suggested). This will, unfortunately, require another table. When a user logs in and chooses "keep login," create an entry in this table. The entry can be any meaningless value (such as md5(uniqid('', true));. This token can be unique in the DB and mapped to a user's ID.

當用戶訪問您的網(wǎng)站時，您可以檢查該 cookie 的值并獲取它所屬的用戶并登錄.此時，您銷毀舊令牌并創(chuàng)建一個新令牌.破壞"可以意味著很多事情.您可以將其從數(shù)據(jù)庫中完全刪除，也可以設置一個禁用令牌的標志.您可能希望允許多次使用相同的令牌，以防收到 cookie 但由于某種原因無法通過身份驗證，但我認為這是不安全的.您可能還想存儲令牌的時間戳，并且只有在某個有限的時間段內(例如 30 天)才接受它.

When a user visits your website, you can check the value of that cookie and get the user it belongs to and log them in. At this point, you destroy the old token and create a new one. "Destroy" can mean many things. You can delete it from the DB entirely or have a flag that disables the token. You may want to allow the same token to be used multiple times in case the cookie is received but the authentication doesn't go through for some reason, but I think this is insecure. You may also want to store the timestamp of the token and only accept it if it's been some limited period of time (30 days for example).

正如您的朋友所指出的，您可以存儲其他信息，例如用戶代理、IP 地址等，但即使使用相同的瀏覽器(尤其是移動瀏覽器)并且如果不接受用戶的持續(xù)登錄，這些信息也可能會發(fā)生變化因此，這可能會給他們帶來不和諧和不便.

As your friend points out, you can store other information such as user agent, IP address, etc., but these may change even with the same browser being used (especially with mobile) and if a user's persistent login is not accepted because of this, it could be jarring and inconvenient to them.

如果你真的不想創(chuàng)建另一個表，那么你將不得不通過存儲某種方式從 cookie 值中獲取用戶的 ID.這不太安全.

If you really don't want to create another table, then you will have to store some way to acquire the user's ID from the cookie value. This is less secure.

這篇關于用 PHP 設計一個安全的自動登錄 cookie 系統(tǒng)的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！