基于令牌的会话管理

huangapple go评论89阅读模式
英文:

Token based session management

问题

我使用一个GO服务器(golang.org),它对加密和提供基本基于cookie的会话处理的第三方包有很好的支持。我正在寻找有关生成令牌的指南,以及存储、使其无效等的良好实践。我的应用程序需要自定义用户管理。在离线环境中可以使用OAuth吗,或者有更好的方法吗?

英文:

I use a GO server (golang.org), which does have good support for encryption and third party package which provides basic cookie based session handling. I am looking for guidelines on generating tokens, and good practice to store, invalidate etc. My application need custom user management. Can one use Oauth in an offline setting, or any better way?

答案1

得分: 4

通常,会话cookie应该是:

  • 不透明的。您不应该在cookie中传递任何隐藏的信息。它只是一个标识符。
  • 不可猜测的。您不希望其他人能够猜测到其他人的会话令牌并劫持它们。
  • 抗碰撞的。如果您的网站上同时有成千上万的用户,您需要相当大的令牌,以免两个用户最终获得相同的令牌。
  • 安全存储的。将会话信息保存在Web浏览器(和其他公共用户)无法访问的地方。通常意味着将它们保存在服务器文档树之外的磁盘上,或者将它们放入数据库中。
  • 在接近过期时删除。您不希望永远保留会话数据。偶尔需要查看会话数据并删除所有已过期的内容。

我不确定OAuth在这方面的作用,因为它是一个身份验证系统,而您正在询问会话管理。(尽管我意识到这两者可能相关。)

英文:

Generally, session cookies should be:

  • opaque. You should not be passing any information hidden in the cookie. It is merely an identifier.
  • unguessable. You wouldn't want people to be able to guess other people's session tokens and hijack them.
  • collisions resistant. If you have thousands of users on your site all at the same time, you need reasonably large tokens so two users don't end up with the same token.
  • stored safely. Save your session information somewhere web browsers (and other public users) have no access to them. Usually this means saving them on disk outside of the server's document tree, or putting them into a database.
  • deleted close to expiration. You don't want to keep session data forever. Once in a while, you need to go through the session data and delete everything that has expired.

I'm not sure where OAuth comes into this, since that is an authentication system and you're asking about session management. (Although I realize the two can be related.)

huangapple
  • 本文由 发表于 2012年10月30日 08:26:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/13131587.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定