Basics of a remember-me system

前端 未结 3 1396
春和景丽
春和景丽 2020-12-29 00:16

I am using a PHP / MySQL login system. I would like to add a remember-me to it. What are the basic mechanics of a remember-me? Does it involve adding a new column to the

3条回答
  •  醉梦人生
    2020-12-29 00:53

    Does it involve adding a new column to the table in MySQL where all of the user information is stored, etc. ?

    Not necessarily. A "remember me" works by storing in a cookie either the primary user credentials (his username and password, typically) or some temporary credentials that are set to expire after some time. If you use these temporary surrogate credentials, which are typically long random strings, you must add a table to your database where you store them, the username associated with them and the time where they expire.

    You almost certainly do not want these credentials to be send over an unencrypted connection. You should store them in secure cookies, that is, cookies that are only sent over HTTPS (you should also set the cookie via an unencrypted connection).

    If you choose to use a secure cookie but do not want to encrypt all traffic you can use two cookies:

    • An insecure cookie that only signals the server that you have a secure cookie with the credentials.
    • A secure cookie with the credentials themselves.

    Then, when the user visits your site and he's not logged in, you check for the presence of the unsecure cookie. If it exists, you redirect the user to a HTTPS page. Since this is secure, the secure cookie, with the user credentials, is sent by the client. You then proceed to check the content of the cookie with that you have stored in the database and login the user.

提交回复
热议问题