简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Q&A  >  body text

java - About the design of Spring MVC login system

My current idea is to define a User object, which includes uid, username, password, isLoginedwait. Then set up an interceptor. When the user makes the first request (session starts), it will determine whether the user is logged in based on user.isLogined from the database. If logged in, it will be at the session level. Set isLogined equal to true, otherwise it will redirect to the login page.

But in this case, how should I determine the user's identity when the user makes the first request? If uid is set in the cookie, the uid can be forged by others, posing a potential security risk.

Is there any good solution to this problem?

Replenish

My main problem is how to judge the legitimacy of the user's login identity. Now my idea is to encrypt the user id and save it in a cookie. Only I know this key, so even if others know the user id, they will not know it. I would like to ask if this is reasonable.

天蓬老师天蓬老师2712 days ago538

reply all(4)I'll reply

  • 滿天的星座

    滿天的星座2017-05-17 10:10:17

    This risk is huge: if the uid is changed to someone else’s, and that person happens to be logged in, then they will be logged in as someone else

    Follow your plan:
    1. Set the uid of the cookie to be encrypted, or a meaningless random string
    2. Use this string to compare with the db, or compare with the cache, and verify the IP at the same time Or user agent to enhance security
    3, consider session expiration policy

    reply
    0
  • 我想大声告诉你

    我想大声告诉你2017-05-17 10:10:17

    First of all, you need to store user information in your database and set it upisLogined 默认为FALSE,每次登陆成功后更新为TRUE,退出后更新为FALSE;判断登陆成功的标志用userName userPass 匹配,还有isLogined 判断;最后设置判断级别,先isLogined用户密码

    reply
    0
  • PHP中文网

    PHP中文网2017-05-17 10:10:17

    It is recommended that the login status should not be stored in the database, at least not in a relational database; you can return the token after the user login verification is completed, and all subsequent user requests will carry this token in the authorization field of the headers; you can learn more Let’s take a look at jwt and related implementations

    reply
    0
  • 过去多啦不再A梦

    过去多啦不再A梦2017-05-17 10:10:17

    According to your current method, if I am an anonymous user who is not logged in and requests one of your interfaces, and then is intercepted from the database to determine whether the user is logged in based on user.isLogined, then a problem arises. Who is the user in your user.isLogined?

    It is recommended to put the user login success information in the session after logging in directly. When requesting, just use the interceptor to verify the session. Do not access the database. This database access operation is very expensive for every request.

    reply
    0
  • Cancelreply