So you actually want like a "Remember me on this computer" option? This is actually unrelated to OpenID part. Here's a language-agnostic way how you can do it:

所以你真的想要“在这台电脑上记住我”选项吗？这实际上与 OpenID 部分无关。这是一种与语言无关的方法，您可以这样做：

• First create a DB table with at least cookie_idand user_idcolumns. If necessary also add a cookie_ttland ip_lock. The column names speaks for itself I guess.

• On first-time login (if necessary only with the "Remember me" option checked), generatea long, unique, hard-to-guess key (which is in no wayrelated to the user) which represents the cookie_idand store this in the DB along with the user_id. Store the cookie_idas cookie value of a cookie with known cookie name, e.g. remember. Give the cookie a long lifetime, e.g. one year.

• On every request, check if the user is logged in. If not, then check the cookie value cookie_idassociated with the cookie name remember. If it is there and it is valid according the DB, then automagically login the user associated with the user_idand postpone the cookie age again and if any, also the cookie_ttlin DB.

• 首先创建一个至少包含cookie_id和user_id列的数据库表。如有必要，还添加一个cookie_ttl和ip_lock。我猜列名不言自明。

• 在第一次登录（如果必要的话只能用“记住我”选项选中），产生一个长期的，独特的，难以猜测的密钥（这是没有办法代表了与用户）cookie_id和其存储在DB 与user_id. 存储cookie_id具有已知 cookie 名称的 cookie的as cookie 值，例如remember。给 cookie 一个很长的生命周期，例如一年。

• 在每个请求中，检查用户是否登录。如果没有，则检查cookie_id与 cookie name 关联的 cookie 值remember。如果它在那里并且根据 DB 是有效的，则自动登录与 关联的用户user_id并再次推迟 cookie 年龄，如果有的话，也在cookie_ttlDB 中。

In Java/JSP/Servlet terms, make use of HttpServletResponse#addCookie()to add a cookie and HttpServletRequest#getCookies()to get cookies. You can do all the first-time checking in a Filterwhich listens on the desired recources, e.g. /*or maybe a bit more restricted.

在 Java/JSP/Servlet 术语中，使用HttpServletResponse#addCookie()添加 cookie 和HttpServletRequest#getCookies()获取 cookie。您可以在Filter侦听所需资源的情况下进行所有首次检查，例如，/*或者可能会受到更多限制。

With regard to sessions, you don't need it here. It has a shorter lifetime than you need. Only use it to put the logged-in user or the "found" user when it has a valid remembercookie. This way the Filtercan just check its presence in the session and then don't need to check the cookies everytime.

关于会话，您在这里不需要它。它的寿命比您需要的要短。仅当它具有有效remembercookie时才使用它来放置登录用户或“找到”用户。这样就Filter可以只检查它在会话中的存在，然后不需要每次都检查 cookie。

It's after all fairly straight forward. Good luck.

毕竟这是相当直接的。祝你好运。

See also:

也可以看看：

• How to implement "Stay Logged In" when user login in to the web application
• How do servlets work? Instantiation, sessions, shared variables and multithreading

• 如何在用户登录 Web 应用程序时实现“保持登录状态”
• servlet 是如何工作的？实例化、会话、共享变量和多线程

Well, the original reason I chose OpenID was so someone else could handle as much of the implementation and security of authentication for me.

好吧，我选择 OpenID 的最初原因是让其他人可以为我处理尽可能多的身份验证实施和安全性工作。

After looking into OpenID more, it appears there is something called an "Immediate Request" (http://openid.net/specs/openid-authentication-2_0.html#anchor28).

在更多地研究 OpenID 之后，似乎有一种叫做“立即请求”的东西（http://openid.net/specs/openid-authentication-2_0.html#anchor28）。

When requesting authentication, the Relying Party MAY request that the OP not interact with the end user. In this case the OP MUST respond immediately with either an assertion that authentication is successful, or a response indicating that the request cannot be completed without further user interaction.

请求身份验证时，依赖方可以请求 OP 不与最终用户交互。在这种情况下，OP 必须立即以身份验证成功的断言或指示在没有进一步用户交互的情况下无法完成请求的响应做出响应。

Because of this I think I could just store the user's openID url in the cookie, and use an immediate request to see if the user is authenticated or not. This way I don't have to do anything with my database, or implement any logic for preventing session hiHymaning of the long-lived cookie.

因此，我认为我可以将用户的 openID url 存储在 cookie 中，并使用立即请求来查看用户是否已通过身份验证。这样我就不必对我的数据库做任何事情，也不必实施任何逻辑来防止长期存在的 cookie 的会话劫持。

This method of doing it seems to be the way OpenID suggests to do it with their Relying Party Best Practicesdocument.

这样做的方法似乎是 OpenID 建议在其依赖方最佳实践文档中使用的方式。