1、通过在客户端cookie 设置是否登录标志,有可能会有安全隐患,当hack把cookie值修改后,可能就可以登录。
You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):
- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
- The login cookie contains a series identifier and a token. The series and token are unguessable random numbers from a suitably large space. Both are stored together in a database table, the token is hashed (sha256 is fine).
- When a non-logged-in user visits the site and presents a login cookie, the series identifier is looked up in the database.
- If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it's okay to re-use the series identifier).
- If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
- If the username and series are not present, the login cookie is ignored.
This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.
2、常用的加密算法并不安全
可以反向MD5 ,给出MD5或者其它常用加密算法的密文,通过查库,可以获得原文。
http://cmd5.com/