問題描述

我的網(wǎng)站有一個登錄系統(tǒng)，存儲在數(shù)據(jù)庫中的用戶詳細信息是用戶 ID(每個用戶和標(biāo)識符唯一的)、電子郵件地址強>(唯一)、顯示名稱(非唯一)、密碼和會員身份.
現(xiàn)在我應(yīng)該在 cookie 中存儲什么?我正在考慮僅將用戶 ID 存儲在具有到期日期的 cookie 中，然后如果用戶在注冊后重新訪問我的網(wǎng)站，請檢查 cookie 并讓他登錄(這對我來說不合適)并銷毀 cookie如果他決定退出.
*稍微解釋一下也會很有幫助.謝謝

I have a login system in place for my website, the details of the user which are stored in the database are userid(unique for every user and identifier), email address(unique), display name(not unique), password and membersince.
Now what should I store in the cookies? I was thinking about storing just the userid in the cookie with an expiration date and then if the user revisits my website after signing up check for the cookie and log him in( which kind of doesn't look right to me) and destroy the cookie if he decides to log out.
*A little explanation would also be very helpful. Thanks

推薦答案

如果您使用只有您的應(yīng)用程序知道的密鑰對其進行簽名，則您只能將用戶 ID 存儲在 cookie 中.否則，用戶可能會將 cookie 更改為任何內(nèi)容并以其他人的身份登錄.因此，如果您想存儲用戶 ID，還需要使用密鑰存儲用戶 ID 的哈希值(理想情況下使用 HMAC) 并且當(dāng)您想登錄它們時，計算相同的哈希值并將其與來自 cookie 的哈希值進行比較.另一種解決方案是生成一個隨機令牌，將其存儲在數(shù)據(jù)庫中并在 cookie 中使用它.如果它足夠長且足夠隨機，那么有人猜測另一個人的令牌的可能性很小.

You can only ever store the userid in a cookie if you sign it with a secret key that only your applications knows. Otherwise it's possible for the user to change the cookie to anything and login as somebody else. So, if you want to store the userid, store also a hash of the user id with the secret key (ideally using HMAC) and when you want to log them in, calculate the same hash and compare it to the hash from the cookie. Another solution is to generate a random token, store it in the database and use that in the cookie. If it's long and random enough, there is very little chance somebody would guess another person's token.

這篇關(guān)于我應(yīng)該在 cookie 中存儲什么來實現(xiàn)“記住我"?在用戶登錄期間的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！