我不理解在cookie中存储加密内容的概念，因为你需要进行黑客操作的正是它的加密版本。如果我遗漏了什么，请评论。

我正在考虑采用这种方法来“记住我”。如果你能看到任何问题，请评论。

Create a table to store "Remember Me" data in - separate to the user table so that I can log in from multiple devices. On successful login (with Remember Me ticked): a) Generate a unique random string to be used as the UserID on this machine: bigUserID b) Generate a unique random string: bigKey c) Store a cookie: bigUserID:bigKey d) In the "Remember Me" table, add a record with: UserID, IP Address, bigUserID, bigKey If trying to access something that requires login: a) Check for the cookie and search for bigUserID & bigKey with a matching IP address b) If you find it, Log the person in but set a flag in the user table "soft login" so that for any dangerous operations, you can prompt for a full login. On logout, Mark all the "Remember Me" records for that user as expired.

我能看到的唯一弱点是;

你就可以拿到别人的笔记本电脑，用cookie欺骗他们的IP地址。 你可以每次欺骗一个不同的IP地址，并猜出整个事情-但有两个大字符串来匹配，这将是…做类似于上面的计算…我不知道……巨大的机会吗?

安全注意:基于确定性数据的MD5哈希的cookie是一个坏主意;最好使用从CSPRNG派生的随机令牌。有关更安全的方法，请参阅ircmaxell对这个问题的回答。

通常我会这样做:

User logs in with 'keep me logged in' Create session Create a cookie called SOMETHING containing: md5(salt+username+ip+salt) and a cookie called somethingElse containing id Store cookie in database User does stuff and leaves ---- User returns, check for somethingElse cookie, if it exists, get the old hash from the database for that user, check of the contents of cookie SOMETHING match with the hash from the database, which should also match with a newly calculated hash (for the ip) thus: cookieHash==databaseHash==md5(salt+username+ip+salt), if they do, goto 2, if they don't goto 1

当然，你可以使用不同的cookie名称等，你也可以改变cookie的内容，只是要确保它不容易创建。例如，你也可以在创建用户时创建user_salt，并将其放在cookie中。

你也可以用sha1代替md5(或者几乎任何算法)

我推荐Stefan提到的方法(即遵循改进的持久登录Cookie最佳实践中的指导方针)，也建议你确保你的Cookie是HttpOnly Cookie，这样它们就不会被潜在的恶意JavaScript访问。

我不理解在cookie中存储加密内容的概念，因为你需要进行黑客操作的正是它的加密版本。如果我遗漏了什么，请评论。

我正在考虑采用这种方法来“记住我”。如果你能看到任何问题，请评论。

Create a table to store "Remember Me" data in - separate to the user table so that I can log in from multiple devices. On successful login (with Remember Me ticked): a) Generate a unique random string to be used as the UserID on this machine: bigUserID b) Generate a unique random string: bigKey c) Store a cookie: bigUserID:bigKey d) In the "Remember Me" table, add a record with: UserID, IP Address, bigUserID, bigKey If trying to access something that requires login: a) Check for the cookie and search for bigUserID & bigKey with a matching IP address b) If you find it, Log the person in but set a flag in the user table "soft login" so that for any dangerous operations, you can prompt for a full login. On logout, Mark all the "Remember Me" records for that user as expired.

我能看到的唯一弱点是;

你就可以拿到别人的笔记本电脑，用cookie欺骗他们的IP地址。 你可以每次欺骗一个不同的IP地址，并猜出整个事情-但有两个大字符串来匹配，这将是…做类似于上面的计算…我不知道……巨大的机会吗?

Implementing a "Keep Me Logged In" feature means you need to define exactly what that will mean to the user. In the simplest case, I would use that to mean the session has a much longer timeout: 2 days (say) instead of 2 hours. To do that, you will need your own session storage, probably in a database, so you can set custom expiry times for the session data. Then you need to make sure you set a cookie that will stick around for a few days (or longer), rather than expire when they close the browser.

我能听到你在问“为什么是2天?”为什么不是两周?”这是因为在PHP中使用会话会自动将过期时间向后推。这是因为在PHP中会话的过期实际上是一个空闲超时。

现在，我可能会实现一个更难的超时值，我将其存储在会话本身中，并在2周左右退出，并添加代码来查看并强制使会话无效。或者至少让他们退出。这意味着将要求用户定期登录。雅虎这是否。

我读了所有的答案，仍然发现很难提取我应该做什么。如果一张图片相当于1k个单词，我希望这有助于其他人实现基于Barry Jaspan的改进的持久登录Cookie最佳实践的安全持久存储

如果您有问题、反馈或建议，我将尝试更新图表，以反映试图实现安全持久登录的新手。