java - About the design of Spring MVC login system
天蓬老师
天蓬老师 2017-05-17 10:08:17
0
4
597

My current idea is to define a User object, which includes uid, username, password, isLoginedwait. Then set up an interceptor. When the user makes the first request (session starts), it will determine whether the user is logged in based on user.isLogined from the database. If logged in, it will be at the session level. Set isLogined equal to true, otherwise it will redirect to the login page.

But in this case, how should I determine the user's identity when the user makes the first request? If uid is set in the cookie, the uid can be forged by others, posing a potential security risk.

Is there any good solution to this problem?

Replenish

My main problem is how to judge the legitimacy of the user's login identity. Now my idea is to encrypt the user id and save it in a cookie. Only I know this key, so even if others know the user id, they will not know it. I would like to ask if this is reasonable.

天蓬老师
天蓬老师

欢迎选择我的课程,让我们一起见证您的进步~~

reply all(4)
滿天的星座

This risk is huge: if the uid is changed to someone else’s, and that person happens to be logged in, then they will be logged in as someone else

Follow your plan:
1. Set the uid of the cookie to be encrypted, or a meaningless random string
2. Use this string to compare with the db, or compare with the cache, and verify the IP at the same time Or user agent to enhance security
3, consider session expiration policy

我想大声告诉你

First of all, you need to store user information in your database and set it upisLogined 默认为FALSE,每次登陆成功后更新为TRUE,退出后更新为FALSE;判断登陆成功的标志用userName userPass 匹配,还有isLogined 判断;最后设置判断级别,先isLogined用户密码

Ty80

It is recommended that the login status should not be stored in the database, at least not in a relational database; you can return the token after the user login verification is completed, and all subsequent user requests will carry this token in the authorization field of the headers; you can learn more Let’s take a look at jwt and related implementations

过去多啦不再A梦

According to your current method, if I am an anonymous user who is not logged in and requests one of your interfaces, and then is intercepted from the database to determine whether the user is logged in based on user.isLogined, then a problem arises. Who is the user in your user.isLogined?


It is recommended to put the user login success information in the session after logging in directly. When requesting, just use the interceptor to verify the session. Do not access the database. This database access operation is very expensive for every request.

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template