使用 Cookie 通过 Javascript 设置用户名和密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20568021/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using Cookie to set username and password via Javascript
提问by Saad Sarwar
I am using a checkCookie function to see whether a username and password exists in cookie.I know using cookie is not a secure method but I am only using it on trial basis, so please be lenient.
On first execution, it will prompt the user for its username and password and will store it in document.cookie by using setCookie();and on re-executing code, it will only ask the username and will check cookie to retrieve the corresponding password. Below is my checkCookiefunction JS:-
我正在使用 checkCookie 函数来查看 cookie 中是否存在用户名和密码。我知道使用 cookie 不是一种安全的方法,但我只是在试用基础上使用它,所以请宽大处理。在第一次执行时,它会提示用户输入用户名和密码,并通过使用setCookie();和重新执行代码将其存储在 document.cookie 中,它只会询问用户名并检查 cookie 以检索相应的密码。下面是我的 checkCookiefunction JS:-
function checkCookie() {
var username = prompt("Please enter your name:", "");
var password;
if (flag == 0) { //flag=0 shows cookie is not set
password = prompt("Please enter your password:", "");
username += "!";
username += password;
alert("Username = " + username);
setCookie("username", username, 365); //save input in cookie
} else //if cookie is already set with some username+password
{
var n = getCookie("username", username); //this retrieves the password from Cookie
if (n) {
alert("FLAG= 1 The user's password is " + n);
} else
alert("FLAG= 1 User password doesnot exist ")
}
} //checkCookie function end
Now I have these questions regarding the above code.
现在我对上面的代码有这些疑问。
1) I am trying to use a flag variable, whose value is initally 0, but whenever a username is stored in Cookie, flag value should become 1. In C, we can do this by declaring a static variable flag, but how to achieve this in JS ?
1)我试图使用一个标志变量,它的值最初是0,但是每当一个用户名存储在Cookie中时,标志值应该变成1。在C中,我们可以通过声明一个静态变量标志来做到这一点,但如何实现这在 JS 中?
2) Plus my complete Javascript is allowing me to get password corresponding to a username, how can I use it to auto-fill password field on lets say gmail.com webpage password field?
If i use getElementByID("password").innerHTML = password, will it auto-fill the document's password field ?
2)加上我完整的 Javascript 允许我获取与用户名对应的密码,我如何使用它来自动填充密码字段,比如 gmail.com 网页密码字段?
如果我使用getElementByID("password").innerHTML = password,它会自动填充文档的密码字段吗?
3) When I run the code on JSFiddle.net, the username cookie is saved. But when I refresh the JSFiddle.net, cookie values are reset! How can I make my cookie value persistent(fixed) on page reload?
3) 当我在 JSFiddle.net 上运行代码时,用户名 cookie 被保存。但是当我刷新 JSFiddle.net 时,cookie 值被重置!如何在页面重新加载时使我的 cookie 值持久化(固定)?
Looking forward to some good suggestions. Thanks for reading
期待一些好的建议。谢谢阅读
回答by James Donnelly
You should never store usernames and passwords as cookies, even if they're encrypted or hashed, this is bad practice as anyone could just come along and inspect the user's network traffic and steal their identity. Storing usernames and passwords as cookies essentially broadcasts them to anyone who may be looking in.
您永远不应该将用户名和密码存储为 cookie,即使它们被加密或散列,这是不好的做法,因为任何人都可能会过来检查用户的网络流量并窃取他们的身份。将用户名和密码存储为 cookie 本质上是将它们广播给可能正在查看的任何人。
Instead you should create a login page which stores a session token and the user's IP in your database and sets that as the cookie, then when a user has your session token cookie all you need to do is compare that and the user's IP address with your tokens table in your database to check whether they are logged in or not.
相反,您应该创建一个登录页面,在您的数据库中存储会话令牌和用户的 IP 并将其设置为 cookie,然后当用户拥有您的会话令牌 cookie 时,您需要做的就是将其和用户的 IP 地址与您的 IP 地址进行比较数据库中的令牌表以检查它们是否已登录。
If the same person comes along and inspects the network traffic, all they'll get is the session token. Sure, they could potentially use this to steal the session, but they'd need the same IP address.
如果同一个人出现并检查网络流量,他们将获得的只是会话令牌。当然,他们可能会使用它来窃取会话,但他们需要相同的 IP 地址。
This is why websites should also always require a password to be re-entered when letting users modify account information.
这就是为什么网站在让用户修改帐户信息时也应始终要求重新输入密码的原因。
See this Wikipedia article on Session HiHymaningfor further reading.
如需进一步阅读,请参阅这篇关于会话劫持的 Wikipedia 文章。
回答by TecBrat
I'll skip the lecture and give you what you asked for:
我会跳过讲座,给你你所要求的:
document.getElementById("password").value = password;
document.getElementById("password").value = password;
seems to work (tested in jsfiddle)
似乎工作(在 jsfiddle 中测试)
