Stay Logged In Best Practices: How does a username in the cookie make it more secure?

后端 未结 2 1377
暗喜
暗喜 2021-02-08 11:25

This is a branch of another question: What is the best way to implement "remember me" for a website?

The top answer is to implement this: http://jaspan.com/imp

相关标签:
2条回答
  • 2021-02-08 11:56

    The username and number are looked up as a pair on the server before issuing a new session cookie. Without the username it would be less secure (could replay using a different user if you stole the number) and harder to lookup.

    0 讨论(0)
  • 2021-02-08 12:10

    My guess on this:

    The username is for audit. If you require the client to send it together with the token for authentication, then you know which user attempts to be authenticated. Which allows you to react in some sane way to the token being wrong.

    If you only ask for the token during auth, then you don't know which user actually tries it and on a match just grant someone access but can't do anything on fail. Someone can just try to blindly go over them.

    With that in mind let's say we settle on using both username and token. Now if token is wrong we can remove all the other tokens for that user. But that opens up the system to DOS. Attacker can log out anyone at will. So for that series is added.

    It does not have to be username, some other info that will allow to identify the user will work too.

    0 讨论(0)
提交回复
热议问题