标签云

微信群

扫码加入我们

WeChat QR Code


Check stackoverflow.com/questions/549/… (part II of top answer)

2018年09月24日43分34秒

if you are using ASP.NET, check out codeproject.com/Articles/779844/Remember-Me

2018年09月25日43分34秒

There is some very useful info over in Security SE ~ security.stackexchange.com/questions/19676/…

2018年09月25日43分34秒

see also:stackoverflow.com/questions/549/… you should NOT read the 'improved' version

2018年09月24日43分34秒

The problem with this is that you expose the username in the cookie, though this is what Gmail does. Why do you need both a series ID and a token? Wouldn't a bigger token be fine?

2018年09月24日43分34秒

Also, regarding this model, what it to prevent an attacker from stealing and than placing the cookie on his computer and deleting the cookie from the hacked computer. His computer would than be authenticated and updated as needed with out the hacked computer ever knowing? The only change would be that the hacked computers user would have to login again and set remember me. Whether or not the hacked user recognizes this would be uncertain.

2018年09月24日43分34秒

HiroProtagonist The Series Identifier is to prevent a DoS attack. Without it, I could quickly write a script hitting your site with every username and an invalid token, logging everyone on your site out.

2018年09月24日43分34秒

roverred If you just use a long token, and destroy all sessions for a user when any invalid token arrives, I can write a script that hits your site with every username and all 0's for the token to log all users out. Run it in a loop, no one can ever meaningfully login. If a valid Series token is required however before the server acts against sessions, the DoS attack is prevented.

2018年09月24日43分34秒

1. HTTPS is designed to prevent this. 2. Stay Logged In isn't the security problem here, you have bigger problems. 3. Same as 2. 4. This can be prevented by access-control policy and good input sanitation; if you don't take these steps, you again have bigger problems than Stay Logged In.

2018年09月24日43分34秒