跟踪用户是否在无状态Web应用程序中登录?
[英]Tracking whether user is logged-in in a stateless web application?
问题描述
If I wanted to enable users to log in and out, what would be some good patterns of doing this in a stateless application? 
如果我想让用户登录和退出,那么在无状态应用程序中执行此操作会有什么好的模式?
Also, what are the top security concerns? 此外,最重要的安全问题是什么? I am thinking of doing this in Java. 我想在Java中这样做。
Thanks, Alex 谢谢,亚历克斯
1 个解决方案
解决方案1
2 已采纳 2011-04-04 18:56:49
If you cannot store session data in user's browser (via cookie), this is probably very hard to achieve. 如果您无法在用户的浏览器中存储会话数据(通过cookie),则可能很难实现。
I'm not sure what you mean by "stateless" but if storing session key in user's browser is not possible, you can always send this "key" in the HTML you produce. 我不确定“无状态”是什么意思,但如果无法在用户的浏览器中存储会话密钥,您可以随时在您生成的HTML中发送此“密钥”。 This "key" will be something you randomly generate (random enough that nobody can easily guess it). 这个“关键”将是你随机生成的东西(足够随机,没人能轻易猜出它)。 The "key" is only known by you and the user. 只有您和用户知道“密钥”。 Whenever the user requests a new page, he needs to "POST" or "GET" this key as HTTP parameter if the user wants to be identified as logged in. 每当用户请求新页面时,如果用户想要被识别为已登录,则他需要将此键“POST”或“获取”为HTTP参数。
Security concern for this is that if you do this over non-secure (http), the network can easily be sniffed. 对此的安全问题是,如果您通过非安全(http)执行此操作,则可以轻松地嗅探网络。 If you do it over SSL (https) it is probably more secure. 如果您通过SSL(https)执行此操作,则可能更安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.