How to set a more secure cookie to save login status?-PHP Tutorial-php.cn

How to set a more secure cookie to save login status?

WBOY

Release： 2016-10-10 11:55:56

Original

1027 people have browsed it

Mainly for two situations:

The user cracked the cookie
Malicious users hijack cookies and pretend to log in

How to set a cookie so that it can remember the user’s login status and be relatively safe?

Reply content:

Mainly for two situations:

The user cracked the cookie
Malicious users hijack cookies and pretend to log in

How to set cookies to remember the user’s login status and be relatively safe?

Friends who answered Session, I guess the questioner definitely hopes that the user can save the login status so that he can log in automatically the next time he visits. You mentioned Session, how to solve the following problems?

How to calculate Session timeout?
SessionID also needs to be stored in Cookie.

Question about the topic:

Encryption problem, AES encryption is sufficient. A strong key will not be cracked. For specific encryption/decryption, please see @eechen’s https://segmentfault.com/q/10...
Prevent cookies from being injected by XSS.
httponly is enough. Both session_id and login status require httponly. JavaScript cannot obtain cookies with httponly attributes

PHP’s native session_id is not httponly, so laravel implements all the logic of session and supports database, file, redis and other drivers

session

Session is relatively safe stored on the server side.

Cookie format such as user_identity|expires_timestamp Encrypt the part that needs to be encoded.
If verified, then decrypt and verify

Set httponly to prevent js from accessing cookies
Use HTTPS to prevent man-in-the-middle attacks

After the user logs in, an encrypted string authorization token token is generated and saved in a cookie. Next time, the cookie is opened to read to verify whether the token is valid

<code>1. 用户将Cookie进行破解

对于这种情况，可以考虑的是加密的复杂度，以及校验逻辑的升级。比如，将访问时间、客户端IP这些东西都作为Cookie 加密的一部分，增加破解难度。</code>

Copy after login

<code>2. 恶意用户劫持Cookie冒充登陆

因为Cookie 的加密是结合了客户端的IP 信息的。所以，即使Cookie被用到其他的机器来访问，但是IP 本身也是不匹配的，验证无法通过。

同时，我们还可以考虑在服务端，SESSION 存储该Cookie 的信息，用来跟上传信息进行比对，检验cookie信息是否有被篡改过。</code>

Copy after login

There are various methods in between, we just need to analyze what we need to consider.