在哪里存储登录尝试和当前登录状态,cookie或会话?
[英]Where to store login attempts and current login status, cookies or sessions?
问题描述
Note: this question is on where to store login attempts and current login status . 
注意:此问题是关于在何处存储登录尝试和当前登录状态 。
I'm building a web application where users will be required to register to acquire authentication details for which to use when logging in to the system, but I'm a total newbie at security. 我正在构建一个Web应用程序,要求用户进行注册以获取身份验证详细信息,以便在登录系统时使用该身份验证详细信息,但是我在安全性方面是个新手。
And I want a user to login only once per session, so a user must not have more than one existing successful authentication ie can not sign in from both computer a and computer b at the same time or when already a successful authentication of the same user exists or was not logged out. 而且我希望用户每个会话只能登录一次,因此用户不得具有多个现有的成功身份验证,即不能同时从计算机a和计算机b或在已经对同一用户进行成功身份验证的情况下登录存在或未注销。
I think I need to track the user's location, log in attempts and current log in status; 我想我需要跟踪用户的位置,登录尝试和当前登录状态; in order to act accordingly. 为了采取相应的行动 I'm seeking your advice on what to use between cookies and sessions, how to track the user's location and more suggestions are welcome. 我正在就您在Cookie和会话之间使用什么,如何跟踪用户位置的问题寻求您的建议,欢迎提供更多建议。
Thank you in advance. 先感谢您。
3 个解决方案
解决方案1
2 2011-03-27 06:20:44
None of these. 都不是。
You have to employ a database to accomplish your needs. 您必须使用数据库来满足您的需求。
You have to store the current session id, login attempts and login status in the database. 您必须将当前会话ID,登录尝试和登录状态存储在数据库中。
Dunno what is location though. 邓诺虽然在什么位置。
While cookies should be used for the authorization itself, to transfer the session id between a server and a client. 虽然cookie应该用于授权本身,但可以在服务器和客户端之间传输会话ID。
解决方案2
1 2011-03-27 08:33:14
From what I know, you can not track and compare sessions on the server to check for active connections for the same "authenticated" user. 据我所知,您无法跟踪和比较服务器上的会话以检查同一“经过身份验证”的用户的活动连接。 I presume you track your user login and password in the database, and then once they authenticate you set a session variable to track their current login on a given end user device. 我假设您在数据库中跟踪用户的登录名和密码,然后在他们进行身份验证后,设置一个会话变量以在给定的最终用户设备上跟踪其当前登录名。
The best way I can imagine (aside from regular glitches of disconnects, users not logging off, etc) would be to have a table in your database to track logins and status: 我能想到的最好方法(除了经常出现的断开连接故障,用户未注销等)之外,还应该在数据库中有一个表来跟踪登录名和状态:
- User ID 用户身份
- IP Address (pulled from headers/browser) IP地址(从标题/浏览器中拉出)
- last login timestamp (UTC) 上次登录时间戳(UTC)
- Current log in status (boolean) 当前登录状态(布尔)
- Last known server session value 上次已知的服务器会话值
Once that is in place you can create contingencies: 一旦就位,您可以创建意外事件:
- log me out from a logged in device if I authenticate successfully again somewhere else by having the server destroy the session stored in the database and replacing it with the new device's active session 如果我通过在服务器上销毁存储在数据库中的会话并将其替换为新设备的活动会话来在其他地方再次成功进行身份验证,则从登录的设备中注销我
- check for IP Address upon authentication and either lock out user, or use above method to log out remote session 验证时检查IP地址并锁定用户,或使用上述方法注销远程会话
You get the idea I hope. 你希望我能想到。
解决方案3
0 2011-03-27 06:17:10
The main difference between cookies and sessions is that cookies are stored in the user's browser, and sessions are not. Cookies和会话之间的主要区别是cookie存储在用户的浏览器中,而会话则不存储。 This difference determines what each is best used for. 这种差异决定了每种产品的最佳用途。
One should go for cookies to store something that we want to know when the user returns to the web page in future (eg. remember me on this computer check box on login pages uses cookies to remember the user when he returns). 人们应该使用cookie来存储我们希望在用户将来返回网页时知道的东西(例如,在此计算机上记住我的信息,登录页面上的复选框使用cookie来记住用户返回时的信息)。
Sessions should be used to remember something for that particular browser session (like the user name, to display on every page or where ever needed). 会话应用于记住特定浏览器会话的某些内容(例如用户名,以显示在每个页面上或任何需要的位置)。
Good read : 好阅读:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.