“记住我的密码”如何实现?复选框工作?
有许多登录表单都带有“记住我的密码”小复选框,以便您下次访问该网站时,浏览器会自动为您填写密码字段。
但我注意到现代浏览器(例如 Chrome/Firefox)中的一种行为,即使该特定网页没有任何“记住密码”复选框,它也会显示一个通知栏来保存用户名/密码。
所以我的问题是:
- 如果我必须在登录表单中添加“记住密码”复选框,当用户选中它时我该怎么办?我的意思是,我是否必须将密码存储在浏览器 cookie(或本地存储)中?如果是,密码应该是加密的还是纯文本的?
- “保存密码”通知栏是浏览器的功能,或者有什么方法可以从网页调用它?
There are numerous login forms with the little check box "Remember my password" so that the next time you visit the website, the browser automatically fills up the password field for you.
But I have noticed a behavior in modern browsers, such as Chrome/Firefox, which shows up a notification bar to save the user name/passoword even though that particular web page does not have any "remember password" check box.
so my questions are:
- If I have to put the "remember password" check box in a login form, what do I have to do when the user checks it? I mean, do I have to store the password in browser cookies (or Local Storage)? If so, should the password be encrypted or plain text?
- The "Save password" notification bar is a browser's functionality or is there any way to invoke it from the web page?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
每当浏览器的密码管理器看到看起来确实需要密码的
时,“保存密码”部分就会来自浏览器的密码管理器。您可以使用 autocomplete 属性在大多数浏览器中抑制此行为:这不会验证,但通常并不重要。
“记住我”部分与浏览器的密码管理器完全分开。 “记住我”标志是服务器的事,它所做的只是修改它发回的 cookie 的到期日期。服务器总是会发回一个 cookie(除非他们不使用 cookie 来跟踪会话,但这种情况很少见,而且也不需要“记住我”),其中包含一些内容来识别客户端用户。
如果您选中“记住我”,那么您就是在告诉服务器您想要一个持久会话。为了实现这一点,服务器将在 cookie 中包含一个到期日期,并且该到期日期将是未来的某个时间。当该日期到达时,浏览器将过期并删除cookie;如果没有 cookie,服务器将不再知道您是谁,您将不得不再次登录。
如果您不选中“记住我”,那么您将获得一个会话 cookie。会话 cookie 没有过期日期,因此当浏览器退出时会自动过期。会话 cookie 对于共享计算机很有用。
执行摘要:
很抱歉啰嗦了这么长,但其他答案似乎有些混乱和缺乏清晰度。
The "save password" part comes from the browser's password manager whenever it sees an
<input type="password">that looks like it really is asking for a password. You can use the autocomplete attribute to suppress this in most browsers:This won't validate but that usually doesn't matter.
The "remember me" part is completely separate from the browser's password manager. The "remember me" flag is the server's business and all it does is fiddle with the expiry date on the cookie that it sends back. The server will always send a cookie back (unless they're not using cookies for tracking sessions but that's rare and wouldn't need a "remember me" anyway) with something inside it to identify the client user.
If you check "remember me" then you're telling the server that you want a persistent session. To achieve this, the server will include an expiry date with the cookie and that expiry date will be some time in the future. When the date arrives, the browser will expire and delete the cookie; without the cookie, the server won't know who you are anymore and you'll have to login again.
If you don't check "remember me" then you'll get a session cookie. Session cookies don't have expiry dates on them so automatically expire when the browser exits. Session cookies are useful for shared machines.
Executive summary:
Sorry to be so long winded but there seems to be some confusion and a lack of clarity in the other answers.
问题 1:
会话 ID 存储在 cookie 中。 AFAIK,密码或其哈希值不会被存储。每当您登录时,服务器端都会创建一个会话。如果您在选中“记住我”的情况下登录,服务器会传递一个带有会话 ID(或加密的会话 ID,或唯一标识用户会话的内容)的 Cookie cookie保存在客户端。
当您下次登录时,服务器会检查会话中是否有 cookie,如果存在(并且会话尚未被终止/过期 - 请参阅下面的第 2 点),那么服务器会将您识别为“Veera”并让您进入该网站。
许多网站提供“注销所有会话”选项(例如 Gmail:请参见窗口底部)。这将使与该用户关联的所有会话无效。
问题2:
记住密码是浏览器提供的一项功能。浏览器会查看页面上是否有
并提示您保存此密码。任何都会触发此操作。服务器记住您和浏览器记住您的密码之间的区别在于您的密码是否被保存。与“注销所有会话”选项相结合,这比让浏览器保存您的密码要好得多。
Question 1:
The session id is stored in the cookie. AFAIK, the password, or the hash of it is not stored. A session is created on the server side whenever you log in. If you logged in with "Remember Me" checked, the server passes a cookie with the session id (or encrypted session id, or something that uniquely identifies the user session) and this cookie is saved on the client side.
When you login for the next time, the server checks whether there is a cookie with the session, if it is there (and the session has not been killed/expired - see point 2 below) then the server identifies you as "Veera" and lets you in the site.
Many websites offer an option of "Logout all sessions" (like Gmail: see the bottom of the window). This would invalidate all sessions associated with the user.
Question 2:
The remember password is a feature offered by the browser. The browser sees whether there is a
<input type=password>on the page and prompts to save this password for you. Any<input type=password>would trigger this.The difference between the server remembering you and the browser remembering your password is whether your password is saved or not. And combined with the option of "Logging out all sessions" this is a lot better than letting the browser save your password.
您需要一种方法来了解用户是谁。通常这是通过在用户浏览器上保存 cookie 来完成的。您应该只使用不易被欺骗的东西,因此应该使用加密。您可以使用本地存储,只要您确信您的网站上使用的所有浏览器都支持它。
不,没有。拥有密码字段通常会触发该栏。
You will need a way to know who the user is. Normally this is done by saving a cookie on the users browser. You should only use something that is not easily spoofed and so encryption should be used. You could use local storage, so long as you are confident that all browsers that will be used on your site support it.
No, there isn't. Having a password field is normally what triggers the bar.
你需要在客户端保存一个cookie,当然是加密的。
现在有了 HTML5,我建议您使用本地存储
我使用这个 jstorage 插件
you need to save a cookie on the client side, encrypted ofcourse.
now with HTML5 i will recommend you to use Local Storage
i use this jstorage plugin