Home > Article > Backend Development > Cookie login principle
Cookie login principle
- WBOYOriginal
- 2016-10-19 10:40:491178browse
If you log in, save the username and password to cookies. How to save them better? Log in directly through cookies without a session, log in the account information of cookies, and generate a new session
Reply content:
If you log in, save the username and password to cookies. How to save them better? Log in directly through cookies without a session, log in the account information of cookies, and generate a new session
For security reasons, it is best not to save passwords in cookies. Here is an idea: when the user logs in for the first time, after successfully verifying the username and password, an authorization token is generated, and then the token is saved in cookies for next time. Read the token for verification.
Why not try jsonwebtoken and save it in cookie as well
I think it can be saved as username|IP. In this way, when logging in automatically, first take out the first value and compare it with the username, and then compare it with the IP. The same IP will log in automatically. If it is different, it will not automatically
Cookie information is stored on the client (such as a browser), while session information is stored on the server. Only the sessionid is stored in the cookie, and the sessionid is passed to the server through the cookie. Cookies generally only store insensitive information such as user names
Sensitive information should not be stored in cookies
If you want to use cookies to log in, you can try to store user id token time in the cookie md5 (user id + token time + custom key)
The client uses the above information to verify the identity and validity period of the cookie and generate a session
This is the legendary automatic login principle..