通过客户端的cookie标志来设置用户是否登录了安全吗？常用的加密算法加密后安全吗？...

2019独角兽企业重金招聘Python工程师标准>>>

1、通过在客户端cookie 设置是否登录标志，有可能会有安全隐患，当hack把cookie值修改后，可能就可以登录。

You could use this strategy described here as best practice (2006) or an updated strategy described here (2015):

1. When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.
2. The login cookie contains a series identifier and a token. The series and token are unguessable random numbers from a suitably large space. Both are stored together in a database table, the token is hashed (sha256 is fine).
3. When a non-logged-in user visits the site and presents a login cookie, the series identifier is looked up in the database.
   1. If the series identifier is present and the hash of the token matches the hash for that series identifier, the user is considered authenticated. A new token is generated, a new hash for the token is stored over the old record, and a new login cookie is issued to the user (it's okay to re-use the series identifier).
   2. If the series is present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.
   3. If the username and series are not present, the login cookie is ignored.

This approach provides defense-in-depth. If someone manages to leak the database table, it does not give an attacker an open door for impersonating users.

2、常用的加密算法并不安全

可以反向MD5 ，给出MD5或者其它常用加密算法的密文，通过查库，可以获得原文。

http://cmd5.com/

转载于:https://my.oschina.net/u/2308739/blog/742872