dongliao9233 2013-06-11 02:50
浏览 17
已采纳

如何检测用户何时登录?

I'm currently working on a little instant messaging project. So far everything has been going pretty well.

The only problem is security. When someone logs in, 2 cookies are set. 

1) Name: loggedin; Value: {username}  
2) Name: mvc; Value: {userSecretKey}  <-- pretty useless

These are the cookies that I use so I can setup the next page. However, I believe there is a far better way to do this. And no, I don't want to use sessions because I have a "remember me" feature.

Someone could just set the cookies themselves and "sign in" without actually signing in.

What would be a better way to set this up? Maybe some sort of changing key?

  • 写回答

2条回答 默认 最新

  • doukang2003 2013-06-12 01:55
    关注

    I would suggest using PHP Sessions alongside cookies that are purely used for the remember me feature. You could set it up like this:

    1. User logs in
    2. You store the user IP and Useragent in the session
    3. If remember me is enabled, create a new database entry with the user id, an unique random id + IP & useragent of user, then add a cookie that references the unique random ID.
    4. Everytime you access the session, check that the request IP and Useragent match with the ones originally set in the session when the person logged in.
    5. When the user returns after they close their browser, where only the remember me cookie is left, compare the request IP and Useragent to the one in the Database
    6. If they match, log them back in automatically.
    7. Users have fun.

    Cheers!

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值