发表新帖
发表新帖

Storing login information in Cookies

前端 未结
关注
7 1526
不思量自难忘°
不思量自难忘° 2021-02-05 22:06

I want to save user\'s authentication information in browser cookie for persistent login. As they say, its never safe to store any secret info (such as password) in cookie, but

7条回答
  • 醉话见心
    醉话见心 (楼主)
    2021-02-05 22:46

    I would suggest using an unique key on the server to encrypt the username (in this case, email) and store it in the auth cookie. If the cookie is tampered it will fail to be decrpted and result in login failure.

    If an auth cookie is copied (by manually setting the cookie or by XSS) to another computer (or another browser), then the user would be logged in as well on the new computer. You could consider adding some unique information about the computer (such as IP address) to reduce such risk.

    This is an explaination about auth cookies in .NET, but I think the concept works on php as well: http://support.microsoft.com/kb/910443

    0 讨论(0)
 看不清?
提交回复
热议问题