结合使用cookie和会话来保持用户登录是否是一个好主意
[英]Is it a good idea to use a combination of cookies and sessions for keeping users logged in
问题描述
I am looking at the possibilty to set up a option to keep users logged in. Now I understand a session could be used to allow a user to navigate around without re-entering login information on each page only until the browser is closed and the session is lost. 
我正在寻找一种设置选项来保持用户登录的可能性。现在,我了解到可以使用会话来允许用户浏览而无需在每个页面上重新输入登录信息,直到关闭浏览器并关闭会话为止。迷路了。 A cookie would be stored client side and has a duration until it expires or the user deletes the cookie. Cookie将存储在客户端,并具有持续时间,直到它过期或用户删除该Cookie。
I was thinking that I could use a combination of both 我当时想我可以将两者结合使用
- Create a db table (id,user_id,cookie_token,is_active) 创建数据库表(id,user_id,cookie_token,is_active)
User logs in which creates a row in the db table connecting the user to the cookie_token which is stored on the client browser (system) as well.
用户登录将在db表中创建一个行,该行将用户连接到cookie_token,该cookie_token也存储在客户端浏览器(系统)上。 - Each time a token is created, check to see if the user the token is being created for has any active tokens in the system already and set those to inactive before a new one is created. 每次创建令牌时,检查创建令牌的用户是否在系统中已经有任何活动的令牌,并在创建新令牌之前将其设置为非活动。
- Only one token can be active per user 每个用户只能激活一个令牌
- Each time a token is created, check to see if the user the token is being created for has any active tokens in the system already and set those to inactive before a new one is created.
So every time the user visits the site, the system looks up that token and checks is_active fields, If the user_token is found and is_active = 1 or true, the user data is retrieved (id,name,etc) and this then creates the session and the session variables. 因此,每次用户访问该站点时,系统都会查找该令牌并检查is_active字段。如果找到了user_token且is_active = 1或true,则将检索用户数据(id,name等),然后创建会话和会话变量。
I am not able to find any questions or answers that use a combination of both so it could be that this is just overkill or a very bad idea, I just started to read up on sessions and cookies and have been trying to figure out a system that I could implement myself so would be nice to know if this is good or bad. 我找不到结合使用这两种方法的任何问题或答案,所以这可能只是一个矫kill过正或一个非常糟糕的主意,我刚刚开始阅读会议和Cookie,并一直在尝试找出一个系统我可以实现自己,所以很高兴知道这是好是坏。
1 个解决方案
解决方案1
0 已采纳 2017-03-19 20:46:40
I can't reply as a comment anymore, because my reply would be too long... I've implemented something like follows. 我无法再作为评论回复,因为我的回复太长了……我已经实现了以下内容。 Unfortunately I can't remember it precisely, but it would give you a pretty good idea: 不幸的是,我记不清了,但是它会给你一个很好的主意:
Visit before manual login: 手动登录前先访问:
- Start a session. 开始会议。
- At successful login, store a user identification into this session and store a token value into the dB and into the cookie. 成功登录后,将用户标识存储到此会话中,并将令牌值存储到dB和cookie中。
Next time the browser visits the page: 下次浏览器访问页面时:
- (re)Start the session. (重新)开始会话。
- Check if a user identification is set in this session. 检查是否在此会话中设置了用户标识。
- If so, auto-login the user which matches the identification. 如果是这样,请自动登录与该标识匹配的用户。
- If not (session expired due time restriction or browser close), check if a token value is stored in the cookie and if this value matches a token value stored in the dB. 如果不是(会话由于时间限制或浏览器关闭而过期),请检查令牌值是否存储在cookie中,并且该值是否与以dB为单位存储的令牌值匹配。
- If an (unexpired) match found, auto-login the user and remove old tokens. 如果找到(未过期)匹配项,则自动登录用户并删除旧令牌。
- If the user identification is invalid and the token value is invalid/expired: 如果用户标识无效并且令牌值无效/过期:
- logout the user (which contains all actions to go back to "public" mode like destroying the session, removing tokens, cookies, etc.). 注销用户(其中包含所有返回“公共”模式的操作,例如销毁会话,删除令牌,Cookie等)。
- logout the user (which contains all actions to go back to "public" mode like destroying the session, removing tokens, cookies, etc.).
- If an (unexpired) match found, auto-login the user and remove old tokens.
- If so, auto-login the user which matches the identification.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.