I use a GO server (golang.org), which does have good support for encryption and third party package which provides basic cookie based session handling. I am looking for guidelines on generating tokens, and good practice to store, invalidate etc. My application need custom user management. Can one use Oauth in an offline setting, or any better way?
1条回答 默认 最新
dongyan3562 2012-10-30 00:58关注Generally, session cookies should be:
- opaque. You should not be passing any information hidden in the cookie. It is merely an identifier.
- unguessable. You wouldn't want people to be able to guess other people's session tokens and hijack them.
- collisions resistant. If you have thousands of users on your site all at the same time, you need reasonably large tokens so two users don't end up with the same token.
- stored safely. Save your session information somewhere web browsers (and other public users) have no access to them. Usually this means saving them on disk outside of the server's document tree, or putting them into a database.
- deleted close to expiration. You don't want to keep session data forever. Once in a while, you need to go through the session data and delete everything that has expired.
I'm not sure where OAuth comes into this, since that is an authentication system and you're asking about session management. (Although I realize the two can be related.)
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 2012-10-30 00:26回答 1 已采纳 Generally, session cookies should be: opaque. You should not be passing any information hidden
- 2015-07-09 20:55回答 1 已采纳 The idea of using tokens is to allow for a server to be completely stateless. The server just prov
- 2016-04-21 09:08回答 2 已采纳 Well, you need to understand that every request the client sends to your server is independent, so
- 2021-06-09 06:14session ( ) 选项: - `store` session store instance - `logger` optional logger provided by [log4js-node](https://github.com/nomiddlename/log4js-node)请求会话要存储或访问会话数据,只需使用请求属性req....
- 2013-11-15 19:38回答 1 已采纳 You're passing $token in as the first parameter for CSRF::check(). Surely, it should be: CSRF::ch
- 2018-08-29 15:41回答 1 已采纳 There's a few problems with your code: token.php needs to output the token. Which is as simple as
- 2014-12-19 14:57回答 2 已采纳 Make sure you only (re)generate a token if the form is not submitted yet. <?php // Process re
- 2022-05-04 13:17panjinww的博客 我们做一件事情的时候是依着惯性做事,还是基于深度思考后的决策
- 2015-09-06 12:25回答 2 已采纳 [http://blog.csdn.net/fengge8ylf/article/details/46325373](http://blog.csdn.net/fengge8ylf/article/d
- 2016-02-13 00:02回答 2 已采纳 The functionality of my code seemed fine in Safari, but other browsers mismatched the token. The
- 2021-12-03 10:33回答 2 已采纳 安全验证本来就不应该是长期的,所以用session完全可以的。token安全的地方是它可以自动失效,设个时间在时间结束后自动失效,安全性大涨。token和session本质上的区别就是:session
- 2020-08-21 06:26weixin_26753891的博客 它从会话开始,现在基于令牌。 在这篇文章中,您将了解有关过渡以及当今如何处理Web安全性的信息。 饼干 (Cookies) Cookies are small pieces of data, shared by a server with a client, who is accessing or ...
- 2022-08-24 10:58回答 2 已采纳 不要使用中文输入法
- 2020-07-30 13:28weixin_26722031的博客 会话cookieAre you new to web-development, feeling confused with different Web Storage elements? 您是Web开发的新手,对不同的Web存储元素感到困惑吗? If yes, then you are at the right place This article...
- 2021-10-21 10:32一一哥Sun的博客 这时候问题就来了,以前单台服务器的时候,我们的会话很好管理,现在有多台服务器,那会话岂不是有多个了?这时候我们把服务器集群环境下的会话和单个用户关联起来? 啊啊啊...是不是感觉很复杂!
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 ads仿真结果在圆图上是怎么读数的
- ¥20 Cotex M3的调试和程序执行方式是什么样的?
- ¥20 java项目连接sqlserver时报ssl相关错误
- ¥15 一道python难题3
- ¥15 用matlab 设计一个不动点迭代法求解非线性方程组的代码
- ¥15 牛顿斯科特系数表表示
- ¥15 arduino 步进电机
- ¥20 程序进入HardFault_Handler
- ¥15 oracle集群安装出bug
- ¥15 关于#python#的问题:自动化测试