“在这台计算机上记住我” - 它应该如何运作?
查看 Gmail 的 cookie,很容易看出“记住我”cookie 中存储的内容。 用户名/一次性访问令牌。 在用户名是秘密的情况下,它也可以以不同的方式实现。 但无论如何......这件事的安全性不是很高:你偷了cookie,然后你就可以走了。
然而,我的问题是在功能方面:您什么时候擦除他们的访问令牌? 如果用户在另一台计算机上未点击“记住我”而登录,是否会导致其在所有计算机上的访问令牌失效? 我问的是传统上是如何实现的,以及应该如何实现。
Looking at Gmail's cookies it's easy to see what's stored in the "remember me" cookie. The username/one-time-access-token. It could be implemented differently in cases where the username is secret, as well. But whatever... the thing is not very high security: you steal the cookie and you're ready to go.
My question is on the functional side, however: when do you wipe their access tokens? If a user logs in without clicking "remember me" on another machine, should it invalidate their access tokens on all machines? I'm asking about how this is traditionally implemented, and also how it should be implemented.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
我经常同时使用 2 或 3 台机器,并且所有机器上都有“记住我”。 如果其中一个断开了其他连接,那会很烦人,所以我不推荐它。
传统上,它会使用超时,cookie 在一定时间长度(或用户退出时)后过期。
这完全取决于您的安全模型。 如果您正在编写一个内部公司应用程序,您只希望一个用户在一台计算机上,那么您可能希望有比 gmail 更严格的限制。
另外,请记住拒绝服务的可能性 - 如果一台计算机上的操作会迫使另一台计算机无法使用,这可以用来防止合法用户在某些情况下夺回控制权。
I regularly use 2 or 3 machines simultaneously, and have "remember me" on all of them. If one of them disconnected the others that would be very annoying, so I wouldn't recommend it.
Traditionally it would use a time-out, the cookie expires after a certain length of time (or when the user signs out).
It all depends on your security model. If you are writing an internal company application where you only ever expect one user to be on one computer then you might want to have tighter restrictions than gmail.
Also, bear in mind the possibility of Denial of Service - if an action on one machine can force another machine to be unusable this could be use to prevent a legitimate user from taking control back in certain scenarios.
从另一台计算机登录不应使与另一台计算机上的 cookie 关联的登录无效。 但是,如果用户注销或“不是您?在此处登录”,这应该会清除用户正在使用的 cookie。
顺便说一句,通过坚持使用 https 并使其不用于脚本,可以使窃取 cookie 变得困难。
通过在 cookie 的输出中添加“; HttpOnly”,这将使 cookie 对 javascript 不可用,例如,
您可以阅读有关此内容的更多信息
Logging on from another machine should not invalidate the login associated with a cookie on a different machine. However if the users logsout or "not you? login here" this should clear the cookie on which the user is working.
By the way stealing a cookie can be made hard, by insisting on https and making it not for scripting.
By adding "; HttpOnly" to the out put of your cookie this will make the cookie unavailable to javascript e.g.
you can read more about this
记住我 cookie 也应该识别机器。 它应该与机器相关,因为有些地方你希望被记住,而另一些地方你不想被记住(家庭与工作)。
到期日期通常设置为合理的期限(两周)或在用户明确从计算机注销之后,
The remember me cookie should identify the machine as well. It should be related to the machine because there are places where you want to be remembered and other places where you don't (home vs work).
Expiration date is set usually to a reasonable period (two weeks) or after the user has explicitly logged off from the machine,
我要做的就是将每个会话链接到一个 IP 地址。 如果会话令牌是从与您的 IP 不同的 IP 发送的,请拒绝它。
What I would do is link each session to an IP address. If the a session token is sent from a different IP than you have for that, reject it.
访问令牌应该是特定于 IP 的,以便它们不能轻易地跨机器传输。
它们的实现方式还应该允许用户查看他们在哪些机器上拥有活动令牌。
在另一台计算机上创建新令牌后选择终止令牌的网站 - 选择他们的用户不会在多台计算机上访问他们的服务 - 或者如果他们这样做 - 他们的使用证明有理由让他们再次登录。
您采用的策略实际上取决于您所持有的数据和用户的需求。
Access tokens should be IP specific so that they can not easily be transferred across machines.
They should also be implemented in a way that allows users to see what machines they have active tokens on.
Sites that choose to kill off a token once a new one is created on another computer - make the choice that their users will not access their service on multiple computers - or if they do - that their usage justifies making them login again.
The policy you employ really depends on the data you are holding and the needs of the user.