如何设置安全cookie以指示用户已登录?
[英]How do I set a secure cookie to indicate a user is logged in?
问题描述
Currently, after a user logs in, I simply store the user's ID number in a cookie using the following PHP code: 
目前,在用户登录后,我只需使用以下PHP代码将用户的ID号存储在cookie中:
setcookie('userid', "$userid", time()+60*60*24*7*2, '/');
The above code sets a cookie that lasts for 2 weeks and contains the user's ID number (stored in the variable $userid) that is not private. 上面的代码设置了一个持续2周的cookie,并包含非私有的用户ID号(存储在变量$ userid中)。 It also allows the user to stay logged in for 2 weeks. 它还允许用户保持登录2周。 I am aware that this is probably one of the least secure ways to set a cookie to indicate that a user is logged in, since one can simply change his or her cookie parameter and log in as any user he or she wishes. 我知道这可能是设置cookie以指示用户登录的最不安全的方法之一,因为可以简单地更改他或她的cookie参数并以他或她希望的任何用户身份登录。
Therefore, how do a I set a cookie that accomplishes everything my cookie above accomplishes but is also secure? 因此,我如何设置一个cookie来完成我上面的cookie完成但也是安全的?
In other words, what is the best way for me set a cookie that is secure and allows me at the very least to identify the user's ID number during his or her session? 换句话说,对我来说,设置一个安全的cookie并允许我至少在他或她的会话期间识别用户的ID号的最佳方式是什么? I would also like the cookie to last 2 weeks, so the user doesn't have to keep logging back into my website. 我还希望cookie能够持续2周,因此用户无需继续登录我的网站。
5 个解决方案
解决方案1
3 已采纳 2012-10-18 03:39:52
解决方案2
1 2012-10-18 03:58:38
You should also send a second cookie, a hash value, that is unique to the user. 您还应该发送第二个cookie,即用户唯一的哈希值。 For example, in the second cookie store the hash of the user id, user name, password, and salt value. 例如,在第二个cookie存储中,用户ID,用户名,密码和salt值的哈希值。
md5($userId.$userName.$passwordHash.$userSalt);
Since you know the user ID from the first cookie, find that user in the database. 由于您知道第一个cookie中的用户ID,因此请在数据库中查找该用户。 The second cookie should be used to validate the user ID. 第二个cookie应该用于验证用户ID。 If the hash cookie value doesn't match exactly, you know your server didn't provide the second cookie and you should reject the implicit login request. 如果哈希cookie值不完全匹配,您知道您的服务器没有提供第二个cookie,您应该拒绝隐式登录请求。
解决方案3
0 2012-10-18 03:46:23
Use a secure hash (known to the server only) in combination with some data specific to the user and create a hash. 使用安全哈希(仅限服务器已知)与特定于用户的某些数据组合并创建哈希。 Save that as the value instead of the id. 将其保存为值而不是id。 When you get a request, compare the hash by regenerating it. 收到请求时,通过重新生成来比较哈希。 Note that it's still vulnerable to XSS attach or CSRF. 请注意,它仍然容易受到XSS attach或CSRF的攻击。 So address those as well if you are concerned. 如果你担心,那么也要解决这些问题。 Cookies are bad way of storing data, what above will stop is someone just setting a cookie to a random user id and login. Cookie是存储数据的不好方法,以上将停止的是有人只是将cookie设置为随机用户ID并登录。
This is if you want an auto login and keep it separate from session id. 这是您想要自动登录并将其与会话ID分开。 If not do as the other answers suggest and use session. 如果不这样做,其他答案建议并使用会话。
解决方案4
0 2012-10-18 03:49:50
All the user data must be stored in session ,after a successful login . 成功登录后,所有用户数据必须存储在会话中。 when you call session_start() a unique id will be generated and that will be stored in browser cookie .and every time browser make a request it will send the value in cookie along with it.for stronger security you can regenerate the session id after successful login. 当你调用session_start() ,将生成一个唯一的id,它将被存储在浏览器cookie中。每次浏览器发出请求时,它都会将cookie中的值与它一起发送。为了更强的安全性,你可以在成功后regenerate会话ID登录。
解决方案5
0 2012-10-18 03:56:50
You could also use mcrypt, to encrypt some data in a cookie, it is my prefered way of storing something in a cookie. 您也可以使用mcrypt来加密cookie中的某些数据,这是我在cookie中存储内容的首选方式。
If you ever need it for some purpose, then just decrypt it. 如果您出于某种目的需要它,那么只需解密它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.