发表新帖
发表新帖

Storing login information in Cookies

前端 未结
关注
7 1519
不思量自难忘°
不思量自难忘° 2021-02-05 22:06

I want to save user\'s authentication information in browser cookie for persistent login. As they say, its never safe to store any secret info (such as password) in cookie, but

相关标签:
7条回答
  • 野的像风
    2021-02-05 22:41

    You could also install a cookie with a UserID and a SessionID with a expire timestamp. Then if you bind the cookie to IP or hostname (or preferrably both) you're quite safe from cookie stealers and other stuff.

    0 讨论(0)
  • 面向向阳花
    2021-02-05 22:43

    you don't have so much of a choice when it comes to store user info on client side...

    You can try to make some encryption using the client IP as the key. This way even if the cookie is copied to the hacker computer and if he doesn't notice that the IP is the key of the encryption you'll have some descent protection of user's info.

    Facebook is doing something this way, proof is everytime you try to log in from another connection point you have to go throught the user verification system...

    So look for some reversible encryption and this should make your day ;)

    0 讨论(0)
  • 离开以前
    2021-02-05 22:46

    I wrote an answer to the same question in How to improve my user login scheme - have a look there.

    0 讨论(0)
  • 醉话见心
    2021-02-05 22:46

    I would suggest using an unique key on the server to encrypt the username (in this case, email) and store it in the auth cookie. If the cookie is tampered it will fail to be decrpted and result in login failure.

    If an auth cookie is copied (by manually setting the cookie or by XSS) to another computer (or another browser), then the user would be logged in as well on the new computer. You could consider adding some unique information about the computer (such as IP address) to reduce such risk.

    This is an explaination about auth cookies in .NET, but I think the concept works on php as well: http://support.microsoft.com/kb/910443

    0 讨论(0)
  • 半阙折子戏
    2021-02-05 22:50

    i think there is no any other choice

    Think again.

    You don't need to store the password clientside in order to maintain a session. The 'remember me' operation is just the same - use a random value which is a lookup key to data held on your server.

    Short of using client side certificates with pass phrases, anything else you do to complicate things will not improve security, and is more likely to expose your customer's private data.

    0 讨论(0)
  • 遥遥无期
    2021-02-05 22:51

    There is a good article on how to make "remember me" cookies more secure: http://jaspan.com/improved%5Fpersistent%5Flogin%5Fcookie%5Fbest%5Fpractice

    I have implemented the method described in the article in a PHP library: https://github.com/gbirke/rememberme, maybe you can use that as a reference.

    Session fixation and cookie stealing is a real problem in the age of Firesheep. The only defense against that is securing your site with SSL and monitoring for XSS flaws.

    Another way to improve your security is to remember if a user logged in with a "remember me" cookie and force him to reauthenticate when he does something "dangerous" like ordering or changing login credentials.

    For more resources, see this Question: The definitive guide to form-based website authentication

    0 讨论(0)
 看不清?
提交回复
热议问题