“记住我”的 Cookie在JSF
我有一个登录页面,我想添加“记住我”功能;这样,如果用户注销并再次打开页面,则会加载他的用户名和密码。 为此,当用户登录(并选中“记住我”)时,我保存以下 cookie:
FacesContext facesContext = FacesContext.getCurrentInstance();
Cookie userCookie = new Cookie("vtusername", username);
userCookie.setMaxAge(3600);
((HttpServletResponse) facesContext.getExternalContext()
.getResponse()).addCookie(userCookie);
Cookie passCokie = new Cookie("vtpassword", password);
passCokie.setMaxAge(3600);
((HttpServletResponse) facesContext.getExternalContext()
.getResponse()).addCookie(passCokie);
问题是稍后(在同一会话中)我读取 cookie,并看到 maxAge = -1;即使我我将其设置为 3600...为什么呢? 另一个问题:如果我使用 userCookie.setSecure(true) 设置 cookie 安全,那么我无法读取它(它消失)。
另一个问题:既然密码存储在cookie中,我应该如何加密它?最佳做法是什么?
提前致谢
I have a login page, and I want to add the "Remember me" feature; so that if user logs out and opens the page again, his username and password are loaded.
For this, when user logs in (and "remember me" is checked") I save the following cookies:
FacesContext facesContext = FacesContext.getCurrentInstance();
Cookie userCookie = new Cookie("vtusername", username);
userCookie.setMaxAge(3600);
((HttpServletResponse) facesContext.getExternalContext()
.getResponse()).addCookie(userCookie);
Cookie passCokie = new Cookie("vtpassword", password);
passCokie.setMaxAge(3600);
((HttpServletResponse) facesContext.getExternalContext()
.getResponse()).addCookie(passCokie);
The problem is that later (in the same session) I read the cookies and I see that maxAge = -1; even though I'm setting it to 3600... why is that?
Another issue: if I set the cookie secure with userCookie.setSecure(true) then I can't read it (it dissapears).
Another question: since a password is being stored in a cookie, should I encrypt it some how? what is the best practice?
Thanks in advance
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
因为浏览器不会发回 maxage。它仅发送回 cookie name=value。 maxage 仅存储在浏览器中。您可以在网络浏览器本身的 cookie 查看器/编辑器中检查它。例如,在 Firefox 中,您可以通过工具 > 来检查所有 cookie。选项>隐私>删除单个cookie。输入域(例如 localhost)以查看 cookie。
它仅在通过 HTTPS 而不是 HTTP 提供请求/响应时有效。此外,当请求已通过 HTTPS 提供服务时,它已默认为 secure=true。
不要将原始名称/密码存储在两个 cookie 中。除此之外,这可以很容易地放入一个 cookie 中,这是一个非常糟糕的主意,而且很容易被破解。使用具有自动生成的长、唯一且无法猜测的值的单个 cookie。将此值与用户 ID 一起存储在服务器端的数据库中。当有人使用此 cookie 访问您的网站,但用户尚未登录(即会话中没有
User对象)时,您可以进行自动登录。另请参阅:
Because the browser doesn't send the maxage back. It only sends the cookie name=value back. The maxage is only stored in the browser. You can check it in the cookie viewer/editor of the webbrowser itself. In Firefox for example, you can check all cookies by Tools > Options > Privacy > Remove individual cookies. Enter the domain (e.g. localhost) to see the cookies.
It only works when the request/response is served over HTTPS instead of HTTP. Also, when the request is already served over HTTPS, it will already default to secure=true.
Do not store the raw name/password in two cookies. Apart from that this can easily go in just a single cookie, this is a very bad idea and easily hackable. Use a single cookie with an autogenerated long, unique and impossible-to-guess value. Store this value along with the user ID in a database in the server side. When someone visits your site with this cookie, but the user is not logged in yet (i.e. there's no
Userobject in session), then you can do the automatic login.See also: