如何防止“记住我” cookie垃圾邮件?
[英]How to prevent “remember me” cookie spamming?
问题描述
I have made a remember-me cookie system for my website (pure php). 
我为我的网站(纯php)制作了一个“记住我” cookie系统。 It works like this: 它是这样的:
- User logs in 用户登录
- A random token (user id + random sha256 hash) is generated and saved in a cookie for one month 生成一个随机令牌(用户ID +随机sha256哈希)并将其保存在Cookie中一个月
- The token is also stored in the database (mysql), together with its expiry date (1 month) 令牌还连同其到期日期(1个月)一起存储在数据库(mysql)中
- When user visits my site and has the cookie, I compare it's value with the one in database. 当用户访问我的网站并拥有cookie时,我将其值与数据库中的cookie值进行比较。 If they match, I generate a new token for this cookie to prevent coookie-stealing 如果它们匹配,我会为此Cookie生成一个新令牌,以防止被偷走
This allows users to be logged in from many devices simultaneously, but I ran into a (possible) problem. 这允许用户同时从许多设备登录,但是遇到了一个(可能)问题。 When using for example incognito mode, each time you view the website it asks you to login again (because there aren't any cookies obviously). 例如,使用隐身模式时,每次您浏览该网站时,它都会要求您再次登录(因为显然没有cookie)。 This way, I can login hundreds of times and generate hundreds of tokens that will never be used again, but will take up space in my database and won't be deleted until their expiry date. 这样,我可以登录数百次并生成数百个令牌,这些令牌将不再使用,但会占用我的数据库中的空间,直到它们的到期日期才被删除。 How could I protect myself against that? 我该如何保护自己呢?
1 个解决方案
解决方案1
0 2018-01-29 15:20:24
这是cookie的常见问题,因此为此设置了更短的到期日期,您还可以使用私钥将cookie值设置为包含任何会话信息或密钥信息的加密消息,这将解决所有问题
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.