长期cookie
我正在寻找一种让用户能够轻松连接到我的应用程序的方法,但这种方法很少。我想要做的是能够在用户的计算机上存储一个有效期为 1 年的 cookie。如果他们在 cookie 处于活动状态时访问网站,他们将自动登录。
我建议的解决方案是:首次登录时,使用用户 IP 地址、上次登录日期和随机数创建一个 cookie,所有这些都哈希在一起。我还将他们的用户 ID 和 IP 地址存储在 cookie 中。这些值也将存储在数据库中。如果几个月后他们再次访问该站点,IP 地址、ID 和哈希值与数据库中的值匹配,那么他们将自动登录。将计算新的哈希值。如果其中任何一个不匹配,系统将提示用户重新登录。
这种设计是否存在明显的安全缺陷?我不担心IP地址改变,这将是为大学校园里的教授准备的。
提前致谢, ——戴夫
I'm looking for a way for users to be able to connect to my application easily, but rarely. What I want to do is be able to store a cookie with a 1 year life on the user's computer. If they access the website while the cookie is active, they will be automatically logged in.
My proposed solution is this: Upon initial login, create a cookie with the users IP address, last login date, and random number, all hashed together. I will also store their user ID and IP address in cookies as well. These values will also be stored in the database. If after a few months they access the site again, the IP address, ID, and hash match the values in the database, then they are automatically logged in. A new hash is computed. If any of these don't match, then the user will be prompted to log in again.
Are there any obvious security flaws to this design? I am not worried about IP addresses changing, this will be for professors on a university campus.
Thanks in advance,
--Dave
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您的问题并没有明确说明该系统与任何其他标准长寿命 cookie 有何不同。这些在网络上使用,没有重大的安全问题,所以我认为您没有理由不能以类似的方式使用 cookie。
Your question does not make it clear how this system is any different from any other standard long-life cookie. Those are used across the web without significant security problems, so I see no reason you could not also use a cookie in a similar fashion.
不。
No.
我想说,如果有人弄清楚了这个系统,这绝对是一个安全风险。老实说,我会重新考虑该设置,至少将其存储在数据库部分。更不用说 cookie 很少会在某人的计算机上保留一年的事实,大多数人清理它们的频率要高得多。
但既然你问了,创建它非常简单:
你可以插入你正在谈论的令牌,而不是“mycookie”。希望能有所帮助。
I would say it's definitely a security risk if someone figures out the system. To be honest, I would rethink that setup, at least the storing it in a database part. Not to mention the fact that cookies very rarely stay on someone's computer for a year anyway, most people clean them far more frequently.
But since you asked, creating it is pretty easy:
Instead of "mycookie" you could insert that token you were talking about. Hope that helps a little.