Stay Logged In Best Practices: How does a username in the cookie make it more secure?

后端 未结 2 1372
暗喜
暗喜 2021-02-08 11:25

This is a branch of another question: What is the best way to implement "remember me" for a website?

The top answer is to implement this: http://jaspan.com/imp

2条回答
  •  太阳男子
    2021-02-08 12:10

    My guess on this:

    The username is for audit. If you require the client to send it together with the token for authentication, then you know which user attempts to be authenticated. Which allows you to react in some sane way to the token being wrong.

    If you only ask for the token during auth, then you don't know which user actually tries it and on a match just grant someone access but can't do anything on fail. Someone can just try to blindly go over them.

    With that in mind let's say we settle on using both username and token. Now if token is wrong we can remove all the other tokens for that user. But that opens up the system to DOS. Attacker can log out anyone at will. So for that series is added.

    It does not have to be username, some other info that will allow to identify the user will work too.

提交回复
热议问题