我想完全基于cookie和sql db来验证我的用户。验证系统 - 我的安全吗?
我要做的就是:
1. Once they login, I generate a random string, create a hash from it, save it in the database along with the user id and his IP.
2. I send the hash to the user as cookie
3. Whenever he wants to access something, I verify if his cookie hash matches the one on the server and also if his IP matches. Of yes, he is valid or else, log him out.
4. (As pointed by Akhil) If he clears his browser cookies or anything does not match the information on the database, I clear all the rows with his username and log him out.
Note: I use a session cookie for storing the random hash, which again is generated using the timestamp, and as long as time doesn't repeat itself(I believe), its random in the corect way.
这是好吗?我怎样才能让它变得更好?
我建议不要重新发明轮子。除非你试图改进现有的方法,否则你可能不会自己实现这一点。 –
如果任何清除cookie或Cookie过期,会发生什么情况?他将如何能够登录?你永远不能在IP地址上进行中继。你如何处理动态IP地址?我认为保持密码将是一个更简单的方法 –
“使用时间戳生成”似乎不是随机的。如果字符串是真正随机的,那么散列随机字符串看起来像是一个额外的,不必要的步骤。 –