1. 技术文章
  2. PHP cookies and sessions security for user accounts

PHP cookies and sessions security for user accounts

不羁岁月 提交于 2019-12-23 18:41:42

问题


After researching ways to make a secure log in form with 'remember me' functionality I've come across many conflicting views on how to make this secure. The log in system I wish to create does not need to be highly secure, but I'd like to pick a nice secure and easy method and I have two questions.

  1. What should be stored in the session variables to check a user is logged in, is this just username (or ID). If it is just the username, what happens in the case where a user finds their account has been compromised and wishes to change the password to stop the malicious user messing around with their account? If the malicious user has a session then even if the password is changed they can continued being malicious until their session expires, can this be avoided - maybe invalidate all sessions with that username on password change?

  2. Is storing a password (re-encrypted with a salt used just for cookies) and username in a (HttpOnly) cookie a decent enough way of having the 'remember me' functionality? I've heard ways where a database stores a username and a randomly generated key, and this is also put in the user cookie. Then when a user action occurs the old key is replaced with a new one and given to the user's cookie. Is this type of cookie security worth it or will the usual re-encrypted password method be sufficient?


回答1:


Usually if you want to remember the user, you generate a "key" and store it in the database, then set its "lifetime" (this can be anything, like 6 hours or 2 days). You store that key in the cookie (along with the userid). Now, every time the user connects to the website you compare both keys. If the key in the database has exceeded its lifetime, you generate a new key and store it in the cookie. Thus, if someone steals the cookie (somehow) he would have to use it before you connect to the website again and reset the key. This is a method I most commonly see.




回答2:


  1. If the account has already been compromised, there's little, if anything, that you can do. The malicious user will likely change the account password him/herself, along with the email address, etc. Trying to account for the case where the "real" user and a malicious user are logged in at the same time is pointless, IMO.

  2. Never store any sensitive data in a cookie (HTTP-only or not).



来源:https://stackoverflow.com/questions/9116567/php-cookies-and-sessions-security-for-user-accounts

标签
php
security
session
cookies
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!