Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 months ago.
The community reviewed whether to reopen this question 6 months ago and left it closed:
Original close reason(s) were not resolved
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
接受
或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
发布评论
评论(12)
好吧,让我直白地说:如果您出于此目的将用户数据或从用户数据派生的任何内容放入 cookie,那么您就做错了。
那里。我说过了。现在我们可以继续讨论实际的答案。
您可能会问,对用户数据进行哈希处理有什么问题吗?好吧,这归结为暴露表面和通过默默无闻实现的安全性。
想象一下您是攻击者。您会在会话中看到为记住我而设置的加密 cookie。它的宽度为 32 个字符。哎呀。这可能是 MD5...
让我们想象一下他们知道您使用的算法。例如:
现在,攻击者所需要做的就是暴力破解“盐”(这并不是真正的盐,稍后会详细介绍),并且他现在可以使用他的任何用户名生成他想要的所有假令牌IP地址!但是暴力破解盐很难,对吧?绝对地。但现代 GPU 非常擅长于此。除非你在其中使用足够的随机性(使其足够大),否则它会很快掉落,你的城堡的钥匙也会随之掉落。
简而言之,唯一能保护你的是盐,它并没有你想象的那么真正保护你。
但是等等!
所有这一切都是基于攻击者知道算法!如果它是秘密且令人困惑的,那么你就安全了,对吗? 错误。这种思路有一个名字:通过默默无闻实现安全,永远不应该依赖它。
更好的方法
更好的方法是永远不要让用户的信息离开服务器,除了 id 之外。
当用户登录时,生成一个大的(128 到 256 位)随机令牌。将其添加到数据库表中,该表将令牌映射到用户 ID,然后将其通过 cookie 发送到客户端。
如果攻击者猜测了另一个用户的随机令牌怎么办?
好吧,让我们在这里做一些数学计算。我们正在生成一个 128 位随机令牌。这意味着:
现在,为了显示这个数字有多大,让我们想象一下互联网上的每台服务器(假设今天有 50,000,000 台)都试图以每秒 1,000,000,000 次的速度暴力破解该数字。实际上,您的服务器在这样的负载下会崩溃,但让我们来解决这个问题。
所以每秒有 50 万亿次猜测。太快了!正确的?
所以 6.8 六万亿秒...
让我们尝试将其降低到更友好的数字。
或者甚至更好:
是的,那是宇宙年龄的47917倍……
基本上,它不会被破解。
总结一下:
我推荐的更好的方法是用三部分来存储 cookie。
然后,验证:
注意:不要使用令牌或用户和令牌的组合来查找数据库中的记录。始终确保根据用户获取记录,并使用时间安全的比较函数来比较获取的令牌。 有关定时攻击的更多信息。
现在,非常重要的是
SECRET_KEY
是一个加密秘密(由/dev/urandom
生成和/或从高熵输入)。此外,GenerateRandomToken()
需要是一个强大的随机源(mt_rand()
还不够强大。使用库,例如 RandomLib 或 random_compat,或mcrypt_create_iv()
与DEV_URANDOM
)...hash_equals()
是为了防止 计时攻击。如果您使用 PHP 5.6 以下的 PHP 版本,则函数
hash_equals()
不是支持。在这种情况下,您可以将hash_equals()
替换为timingSafeCompare函数:OK, let me put this bluntly: if you're putting user data, or anything derived from user data into a cookie for this purpose, you're doing something wrong.
There. I said it. Now we can move on to the actual answer.
What's wrong with hashing user data, you ask? Well, it comes down to exposure surface and security through obscurity.
Imagine for a second that you're an attacker. You see a cryptographic cookie set for the remember-me on your session. It's 32 characters wide. Gee. That may be an MD5...
Let's also imagine for a second that they know the algorithm that you used. For example:
Now, all an attacker needs to do is brute force the "salt" (which isn't really a salt, but more on that later), and he can now generate all the fake tokens he wants with any username for his IP address! But brute-forcing a salt is hard, right? Absolutely. But modern day GPUs are exceedingly good at it. And unless you use sufficient randomness in it (make it large enough), it's going to fall quickly, and with it the keys to your castle.
In short, the only thing protecting you is the salt, which isn't really protecting you as much as you think.
But Wait!
All of that was predicated that the attacker knows the algorithm! If it's secret and confusing, then you're safe, right? WRONG. That line of thinking has a name: Security Through Obscurity, which should NEVER be relied upon.
The Better Way
The better way is to never let a user's information leave the server, except for the id.
When the user logs in, generate a large (128 to 256 bit) random token. Add that to a database table which maps the token to the userid, and then send it to the client in the cookie.
What if the attacker guesses the random token of another user?
Well, let's do some math here. We're generating a 128 bit random token. That means that there are:
Now, to show how absurdly large that number is, let's imagine every server on the internet (let's say 50,000,000 today) trying to brute-force that number at a rate of 1,000,000,000 per second each. In reality your servers would melt under such load, but let's play this out.
So 50 quadrillion guesses per second. That's fast! Right?
So 6.8 sextillion seconds...
Let's try to bring that down to more friendly numbers.
Or even better:
Yes, that's 47917 times the age of the universe...
Basically, it's not going to be cracked.
So to sum up:
The better approach that I recommend is to store the cookie with three parts.
Then, to validate:
Note: Do not use the token or combination of user and token to lookup a record in your database. Always be sure to fetch a record based on the user and use a timing-safe comparison function to compare the fetched token afterwards. More about timing attacks.
Now, it's very important that the
SECRET_KEY
be a cryptographic secret (generated by something like/dev/urandom
and/or derived from a high-entropy input). Also,GenerateRandomToken()
needs to be a strong random source (mt_rand()
is not nearly strong enough. Use a library, such as RandomLib or random_compat, ormcrypt_create_iv()
withDEV_URANDOM
)...The
hash_equals()
is to prevent timing attacks.If you use a PHP version below PHP 5.6 the function
hash_equals()
is not supported. In this case you can replacehash_equals()
with the timingSafeCompare function:通常我会这样做:
当然你可以使用不同的cookie名称等您还可以稍微更改 cookie 的内容,只要确保它不会轻易创建即可。例如,您还可以在创建用户时创建 user_salt 并将其放入 cookie 中。
您也可以使用 sha1 而不是 md5 (或几乎任何算法)
Usually I do something like this:
Of course you can use different cookie names etc. also you can change the content of the cookie a bit, just make sure it isn't to easily created. You can for example also create a user_salt when the user is created and also put that in the cookie.
Also you could use sha1 instead of md5 (or pretty much any algorithm)
简介
您的标题“让我保持登录状态”- 最佳方法让我很难知道从哪里开始,因为如果您正在寻找最佳方法,那么您必须考虑以下因素:
Cookie
Cookie 很容易受到攻击,在常见的浏览器 cookie 盗窃漏洞和跨站点脚本攻击之间,我们必须承认 cookie 并不安全。为了帮助提高安全性,您必须注意
php
setcookies
还有其他功能,例如定义
简单方法
一个简单的解决方案是:
上述案例研究总结了本页给出的所有示例,但它们的缺点是,
更好的解决方案
更好的解决方案是
示例代码
使用的类
在 Firefox 和 Firefox 中进行测试Chrome
优点
缺点
快速修复
多 Cookie 方法
当攻击者要窃取 cookie 时,唯一关注的是特定网站或域,例如。 example.com
但实际上,您可以对来自 2 个不同域的用户进行身份验证(example.com 和 fakeaddsite.com),并使其看起来像“广告 Cookie”
有些人可能想知道如何使用 2 个不同的 cookie ?好吧,这是可能的,想象一下
example.com = localhost
和fakeaddsite.com = 192.168.1.120
。如果您检查 cookie,它看起来像这样从上图中
192.168.1.120
HTTP_REFERER
REMOTE_ADDR
的连接优点
缺点
改进
ajax
Introduction
Your title “Keep Me Logged In” - the best approach make it difficult for me to know where to start because if you are looking at best approach then you would have to consideration the following :
Cookies
Cookies are vulnerable, Between common browser cookie-theft vulnerabilities and cross-site scripting attacks we must accept that cookies are not safe. To help improve security you must note that
php
setcookies
has additional functionality such asDefinitions
Simple Approach
A simple solution would be :
The above case study summarizes all example given on this page but they disadvantages is that
Better Solution
A better solution would be
Example Code
Class Used
Testing in Firefox & Chrome
Advantage
Disadvantage
Quick Fix
Multiple Cookie Approach
When an attacker is about to steal cookies the only focus it on a particular website or domain eg. example.com
But really you can authenticate a user from 2 different domains (example.com & fakeaddsite.com) and make it look like "Advert Cookie"
Some people might wonder how can you use 2 different cookies ? Well its possible, imagine
example.com = localhost
andfakeaddsite.com = 192.168.1.120
. If you inspect the cookies it would look like thisFrom the image above
192.168.1.120
HTTP_REFERER
REMOTE_ADDR
Advantage
Disadvantage
Improvement
ajax
老线程,但仍然是一个有效的担忧。我注意到一些关于安全性的良好回应,并避免使用“通过默默无闻的安全性”,但在我看来,给出的实际技术方法还不够。在贡献我的方法之前我必须说的话:
综上所述,有两种在系统上实现自动登录的好方法。
首先,以廉价、简单的方式将一切都交给别人。如果您让您的网站支持使用您的 google+ 帐户登录,那么您可能有一个简化的 google+ 按钮,如果用户已经登录到 google,该按钮将使用户登录(我在这里这样做是为了回答这个问题,因为我总是这样做)登录谷歌)。如果您希望用户在已使用受信任且受支持的身份验证器登录的情况下自动登录,并选中此框,请让您的客户端脚本在加载之前执行相应“登录方式”按钮后面的代码,只需确保服务器在自动登录表中存储唯一 ID,其中包含用户名、会话 ID 和用于用户的身份验证器。由于这些登录方法使用 AJAX,因此您无论如何都在等待响应,并且该响应要么是经过验证的响应,要么是拒绝的响应。如果您收到经过验证的响应,请照常使用它,然后继续照常加载登录用户。否则,登录失败,但不要告诉用户,只需以未登录的方式继续,他们会注意到的。这是为了防止窃取 cookie(或伪造 cookie 以尝试升级权限)的攻击者得知用户自动登录网站。
这很便宜,而且也可能被一些人认为是肮脏的,因为它试图验证您可能已经在 Google 和 Facebook 等地方登录的自我,甚至不告诉您。但是,它不应该用于未要求自动登录您的网站的用户,并且此特定方法仅用于外部身份验证,例如 Google+ 或 FB。
由于外部身份验证器用于告诉后台服务器用户是否已通过验证,因此攻击者无法获得除唯一 ID 之外的任何内容,而唯一 ID 本身是无用的。我将详细说明:
无论如何,即使攻击者使用不存在的 ID,除非收到经过验证的响应,否则所有尝试都应该失败。
对于使用外部身份验证器登录您的站点的用户来说,此方法可以而且应该与您的内部身份验证器结合使用。
=========
现在,对于您自己的可以自动登录用户的身份验证器系统,我是这样做的:
数据库有几个表:
请注意,用户名可以长度为 255 个字符。我的服务器程序将系统中的用户名限制为 32 个字符,但外部身份验证器的用户名及其 @domain.tld 可能大于此值,因此我只支持电子邮件地址的最大长度以获得最大兼容性。
注意,这个表中没有user字段,因为登录时的用户名是在会话数据中的,程序不允许空数据。 session_id 和 session_token 可以使用随机 md5 哈希、sha1/128/256 哈希、添加随机字符串然后哈希的日期时间戳或任何您想要的方式生成,但输出的熵应保持在可容忍的范围内甚至可以减轻暴力攻击,并且在尝试添加会话类生成的所有哈希值之前,应检查会话表中的匹配项。
MAC 地址本质上应该是唯一的,因此每个条目都有一个唯一的值是有意义的。另一方面,主机名可以在不同的网络上合法地重复。有多少人使用“Home-PC”作为他们的计算机名称之一?用户名是由服务器后端从会话数据中获取的,因此不可能对其进行操作。至于令牌,应使用与为页面生成会话令牌相同的方法来在 cookie 中生成用于用户自动登录的令牌。最后,添加日期时间代码,以便用户需要重新验证其凭据。要么在用户登录时更新此日期时间,将其保留在几天内,要么强制其过期,无论上次登录如何,仅将其保留一个月左右,无论您的设计如何规定。
这可以防止某人系统地欺骗他们知道自动登录的用户的 MAC 和主机名。绝不让用户使用其密码、明文或其他方式保存 cookie。在每个页面导航上重新生成令牌,就像会话令牌一样。这大大降低了攻击者获取有效令牌 cookie 并使用它登录的可能性。有些人会试图说攻击者可以窃取受害者的 cookie 并进行会话重放攻击来登录。如果攻击者能够窃取 cookie(这是可能的),他们肯定会破坏整个设备,这意味着他们无论如何都可以使用该设备登录,这完全违背了窃取 cookie 的目的。只要您的网站通过 HTTPS 运行(在处理密码、CC 号码或其他登录系统时就应该如此),您就已经为用户提供了在浏览器中所能提供的所有保护。
要记住一件事:如果您使用自动登录,会话数据不应过期。您可以错误地终止继续会话的能力,但如果会话数据是预期在会话之间继续的持久数据,则验证到系统应该恢复会话数据。如果您想要持久和非持久会话数据,请使用另一个表来存储持久会话数据,并将用户名作为 PK,并让服务器像正常会话数据一样检索它,只需使用另一个变量即可。
一旦以这种方式实现登录,服务器仍应验证会话。您可以在此处对被盗或受损系统的期望进行编码;登录会话数据的模式和其他预期结果通常可以得出系统被劫持或伪造 cookie 以获得访问权限的结论。您的 ISS 技术可以在此处放置触发帐户锁定或自动从自动登录系统中删除用户的规则,从而将攻击者拒之门外足够长的时间,以便用户确定攻击者如何成功以及如何将其切断。
作为结束语,请确保任何恢复尝试、密码更改或超过阈值的登录失败都会导致自动登录被禁用,直到用户正确验证并确认发生了这种情况。
如果有人期望在我的答案中给出代码,我深表歉意,这不会在这里发生。我会说我使用 PHP、jQuery 和 AJAX 来运行我的网站,并且我从不使用 Windows 作为服务器......永远。
Old thread, but still a valid concern. I noticed some good responses about security, and avoiding use of 'security through obscurity', but the actual technical methods given were not sufficient in my eyes. Things I must say before I contribute my method:
That all being said, there are two great ways to have auto-signin on your system.
First, the cheap, easy way that puts it all on someone else. If you make your site support logging in with, say, your google+ account, you probably have a streamlined google+ button that will log the user in if they are already signed into google (I did that here to answer this question, as I am always signed into google). If you want the user automatically signed in if they are already signed in with a trusted and supported authenticator, and checked the box to do so, have your client-side scripts perform the code behind the corresponding 'sign-in with' button before loading, just be sure to have the server store a unique ID in an auto-signin table that has the username, session ID, and the authenticator used for the user. Since these sign-in methods use AJAX, you are waiting for a response anyway, and that response is either a validated response or a rejection. If you get a validated response, use it as normal, then continue loading the logged in user as normal. Otherwise, the login failed, but don't tell the user, just continue as not logged in, they will notice. This is to prevent an attacker who stole cookies (or forged them in an attempt to escalate privileges) from learning that the user auto-signs into the site.
This is cheap, and might also be considered dirty by some because it tries to validate your potentially already signed in self with places like Google and Facebook, without even telling you. It should, however, not be used on users who have not asked to auto-signin your site, and this particular method is only for external authentication, like with Google+ or FB.
Because an external authenticator was used to tell the server behind the scenes whether or not a user was validated, an attacker cannot obtain anything other than a unique ID, which is useless on its own. I'll elaborate:
No matter what, even if an attacker uses an ID that does not exist, the attempt should fail on all attempts except when a validated response is received.
This method can and should be used in conjunction with your internal authenticator for those who sign into your site using an external authenticator.
=========
Now, for your very own authenticator system that can auto-signin users, this is how I do it:
DB has a few tables:
Note that the username is capable of being 255 characters long. I have my server program limit usernames in my system to 32 characters, but external authenticators might have usernames with their @domain.tld be larger than that, so I just support the maximum length of an email address for maximum compatibility.
Note that there is no user field in this table, because the username, when logged in, is in the session data, and the program does not allow null data. The session_id and the session_token can be generated using random md5 hashes, sha1/128/256 hashes, datetime stamps with random strings added to them then hashed, or whatever you would like, but the entropy of your output should remain as high as tolerable to mitigate brute-force attacks from even getting off the ground, and all hashes generated by your session class should be checked for matches in the sessions table prior to attempting to add them.
MAC addresses by their nature are supposed to be UNIQUE, therefore it makes sense that each entry has a unique value. Hostnames, on the other hand, could be duplicated on separate networks legitimately. How many people use "Home-PC" as one of their computer names? The username is taken from the session data by the server backend, so manipulating it is impossible. As for the token, the same method to generate session tokens for pages should be used to generate tokens in cookies for the user auto-signin. Lastly, the datetime code is added for when the user would need to revalidate their credentials. Either update this datetime on user login keeping it within a few days, or force it to expire regardless of last login keeping it only for a month or so, whichever your design dictates.
This prevents someone from systematically spoofing the MAC and hostname for a user they know auto-signs in. NEVER have the user keep a cookie with their password, clear text or otherwise. Have the token be regenerated on each page navigation, just as you would the session token. This massively reduces the likelihood that an attacker could obtain a valid token cookie and use it to login. Some people will try to say that an attacker could steal the cookies from the victim and do a session replay attack to login. If an attacker could steal the cookies (which is possible), they would certainly have compromised the entire device, meaning they could just use the device to login anyway, which defeats the purpose of stealing cookies entirely. As long as your site runs over HTTPS (which it should when dealing with passwords, CC numbers, or other login systems), you have afforded all the protection to the user that you can within a browser.
One thing to keep in mind: session data should not expire if you use auto-signin. You can expire the ability to continue the session falsely, but validating into the system should resume the session data if it is persistent data that is expected to continue between sessions. If you want both persistent AND non-persistent session data, use another table for persistent session data with the username as the PK, and have the server retrieve it like it would the normal session data, just use another variable.
Once a login has been achieved in this way, the server should still validate the session. This is where you can code expectations for stolen or compromised systems; patterns and other expected results of logins to session data can often lead to conclusions that a system was hijacked or cookies were forged in order to gain access. This is where your ISS Tech can put rules that would trigger an account lockdown or auto-removal of a user from the auto-signin system, keeping attackers out long enough for the user to determine how the attacker succeeded and how to cut them off.
As a closing note, be sure that any recovery attempt, password changes, or login failures past the threshold result in auto-signin being disabled until the user validates properly and acknowledges this has occurred.
I apologize if anyone was expecting code to be given out in my answer, that's not going to happen here. I will say that I use PHP, jQuery, and AJAX to run my sites, and I NEVER use Windows as a server... ever.
我在这里问了这个问题的一个角度,并且答案将引导您找到您需要的所有基于令牌的超时 cookie 链接。
基本上,您不会将 userId 存储在 cookie 中。您存储一个一次性令牌(巨大的字符串),用户用它来获取旧的登录会话。然后,为了使其真正安全,您需要输入密码才能进行繁重的操作(例如更改密码本身)。
I asked one angle of this question here, and the answers will lead you to all the token-based timing-out cookie links you need.
Basically, you do not store the userId in the cookie. You store a one-time token (huge string) which the user uses to pick-up their old login session. Then to make it really secure, you ask for a password for heavy operations (like changing the password itself).
我会推荐 Stefan 提到的方法(即遵循 改进的持久登录 Cookie 最佳实践中的指南),并建议您确保您的 Cookie 是 HttpOnly cookie JavaScript 无法访问它们,可能是恶意的。
I would recommend the approach mentioned by Stefan (i.e. follow the guidelines in Improved Persistent Login Cookie Best Practice) and also recommend that you make sure your cookies are HttpOnly cookies so they are not accessible to, potentially malicious, JavaScript.
生成一个哈希值,可能包含只有您知道的秘密,然后将其存储在您的数据库中,以便它可以与用户关联。应该工作得很好。
Generate a hash, maybe with a secret only you know, then store it in your DB so it can be associated with the user. Should work quite well.
当您需要进行黑客攻击时,我不明白将加密内容存储在 cookie 中的概念。如果我遗漏了什么,请评论。
我正在考虑采用这种方法来“记住我”。如果您发现任何问题,请发表评论。
创建一个表来存储“记住我”数据 - 与用户表分开,以便我可以从多个设备登录。
成功登录后(勾选“记住我”):
a) 生成一个唯一的随机字符串,用作本机上的 UserID:bigUserID
b) 生成唯一的随机字符串:bigKey
c) 存储 cookie:bigUserID:bigKey
d) 在“记住我”表中,添加一条记录:UserID、IP 地址、bigUserID、bigKey
a) 检查 cookie 并搜索 bigUserID & bigKey 具有匹配的 IP 地址
b) 如果找到它,请将该人登录,但在用户表“软登录”中设置一个标志,以便对于任何危险操作,您可以提示完全登录。
注销时,将该用户的所有“记住我”记录标记为过期。
我能看到的唯一漏洞是;
I don't understand the concept of storing encrypted stuff in a cookie when it is the encrypted version of it that you need to do your hacking. If I'm missing something, please comment.
I am thinking about taking this approach to 'Remember Me'. If you can see any issues, please comment.
Create a table to store "Remember Me" data in - separate to the user table so that I can log in from multiple devices.
On successful login (with Remember Me ticked):
a) Generate a unique random string to be used as the UserID on this machine: bigUserID
b) Generate a unique random string: bigKey
c) Store a cookie: bigUserID:bigKey
d) In the "Remember Me" table, add a record with: UserID, IP Address, bigUserID, bigKey
If trying to access something that requires login:
a) Check for the cookie and search for bigUserID & bigKey with a matching IP address
b) If you find it, Log the person in but set a flag in the user table "soft login" so that for any dangerous operations, you can prompt for a full login.
On logout, Mark all the "Remember Me" records for that user as expired.
The only vulnerabilities that I can see is;
我阅读了所有答案,但仍然发现很难提取出我应该做的事情。如果一张图片值 1000 个单词,我希望这可以帮助其他人基于 Barry Jaspan 的改进的持久登录 Cookie 最佳实践<实现安全持久存储/a>
如果您有疑问、反馈或建议,我将尝试更新图表以反映试图实现安全持久登录的新手。
I read all the answers and still found it difficult to extract what I was supposed to do. If a picture is worth 1k words I hope this helps others implement a secure persistent storage based on Barry Jaspan's Improved Persistent Login Cookie Best Practice
If you have questions, feedback, or suggestions, I will try to update the diagram to reflect for the newbie trying to implement a secure persistent login.
我的解决方案是这样的。它不是 100% 防弹,但我认为它会在大多数情况下拯救你。
当用户成功登录时,使用以下信息创建一个字符串:
加密
$data
,将类型设置为 HttpOnly 并设置 cookie。当用户返回您的网站时,请执行以下步骤:
:
字符将其分解。如果用户退出,请删除此 cookie。如果用户重新登录,则创建新的 cookie。
My solution is like this. It's not 100% bulletproof but I think it will save you for the most of the cases.
When user logged in successfully create a string with this information:
Encrypt
$data
, set type to HttpOnly and set cookie.When user come back to your site, Make this steps:
:
character.If user signouts, remove this cookie. Create new cookie if user re-logins.
我认为你可以这样做:
将
$cookiestring
存储在数据库中并将其设置为 cookie。还将该人的用户名设置为 cookie。哈希的全部意义在于它不能被逆向工程。当用户出现时,从一个 cookie 获取用户名,而不是从另一个 cookie 获取
$cookieString
。如果$cookieString
与数据库中存储的匹配,则用户通过身份验证。由于password_hash每次使用不同的盐,因此与明文是什么无关。I think you could just do this:
Store
$cookiestring
in the DB and and set it as a cookie. Also set the username of the person as a cookie. The whole point of a hash is that it can't be reverse-engineered.When a user turns up, get the username from one cookie, than
$cookieString
from another. If$cookieString
matches the one stored in the DB, then the user is authenticated. As password_hash uses a different salt each time, it is irrelevant as to what the clear text is.实现“保持登录”功能意味着您需要准确定义这对用户意味着什么。在最简单的情况下,我会用它来表示会话有更长的超时:2 天(比如说)而不是 2 小时。为此,您将需要自己的会话存储(可能在数据库中),以便您可以为会话数据设置自定义到期时间。然后,您需要确保设置的 cookie 会保留几天(或更长时间),而不是在关闭浏览器时过期。
我能听到你问“为什么是 2 天?为什么不是 2 周?”。这是因为在 PHP 中使用会话会自动推迟到期时间。这是因为 PHP 中的会话过期实际上是空闲超时。
现在,话虽如此,我可能会实现一个更严格的超时值,将其存储在会话本身中,并在两周左右的时间后退出,并添加代码来查看该值并强制使会话无效。或者至少将它们注销。这意味着用户将被要求定期登录。雅虎!这样做。
Implementing a "Keep Me Logged In" feature means you need to define exactly what that will mean to the user. In the simplest case, I would use that to mean the session has a much longer timeout: 2 days (say) instead of 2 hours. To do that, you will need your own session storage, probably in a database, so you can set custom expiry times for the session data. Then you need to make sure you set a cookie that will stick around for a few days (or longer), rather than expire when they close the browser.
I can hear you asking "why 2 days? why not 2 weeks?". This is because using a session in PHP will automatically push the expiry back. This is because a session's expiry in PHP is actually an idle timeout.
Now, having said that, I'd probably implement a harder timeout value that I store in the session itself, and out at 2 weeks or so, and add code to see that and to forcibly invalidate the session. Or at least to log them out. This will mean that the user will be asked to login periodically. Yahoo! does this.