Login-free Implementation?

May be the composition of several problems.
1. How a single system can achieve a more secure login-free.
The source of this problem is, see a lot of systems, there are two weeks to login-free option, the actual is definitely a cookie, click Login, at the login screen, through a cookie to restore the value of the login form, so that directly click on the login can be, what is more, access is the default implementation of login, of course, Must still be the way to read cookies.

However, see a lot of the values that are saved in the client, login form, username, password. Is that not safe? What's the good thing?

2. The second one is two different systems.
Company with a product, can have different projects, different terminal composition, assuming that the account unified management. Then, users want to enter the center, in what way can be in the B,c, the system click on the account center of a function, directly login after entering it? In fact, it is free to login, because they may have been in the b,c inside the login operation.

Reply content:

May be the composition of several problems.
1. How a single system can achieve a more secure login-free.
The source of this problem is, see a lot of systems, there are two weeks to login-free option, the actual is definitely a cookie, click Login, at the login screen, through a cookie to restore the value of the login form, so that directly click on the login can be, what is more, access is the default implementation of login, of course, Must still be the way to read cookies.

However, see a lot of the values that are saved in the client, login form, username, password. Is that not safe? What's the good thing?

2. The second one is two different systems.
Company with a product, can have different projects, different terminal composition, assuming that the account unified management. Then, users want to enter the center, in what way can be in the B,c, the system click on the account center of a function, directly login after entering it? In fact, it is free to login, because they may have been in the b,c inside the login operation.

http://segmentfault.com/q/1010000000641642#a-1020000000641757
Simply put, the idea is that the cookie remembers the user ID and a generated credential, and when the user accesses the query server when the two are unified, the unification is directly logged in.

The core of all the procured is to save the log on the client.

One

Since TCP protocol is intended to be connected rather than a conversation, it is necessary to use extra functionality to store procured on the server side and client side.

The simplest idea is to use cookies to keep the username and password, and the service is connected to the original content in the repository.

However, the contents of the cookie are transmitted in plaintext and may be leaked from the browser and file system. So someone thought about the scheme of encrypting the user name password.

A. Save the password of the password keys encrypted to the server to decrypt the certificate.
B. Save hash algorithm to get the hash value, spread to the server and the original Hashi.

Both of these scenarios are essentially simply logging procured from the user name code to the user's password, while the protection of the procured is not increased, and the content leaks in the cookie can be used for arbitrary logging. "."

Just encrypting procured will only make procured the result of the encryption.

It is necessary to add the procured according to the foundation that is difficult to difference or reproduce.

UserAgent, IP address and so on are commonly seen in the support of procured records.

To help with the procured encryption/hash can be praya with the username password to supplement the above scenario, and the server does not need to save extra numbers for a specific conversation.

Even so, if the procured is stolen from the old password, as if it were stolen, the server must have the ability to destroy the log procured.

Scenario: Add a Difference random number to the server side in the log procured, so simply change the server-side save results to destroy the original log procured.

This scheme can also be re-recorded in the original meeting failure.

If you need to log in for a time period, you only need to add your first login to procured.

Two

There is a well-established record procured everything else is easy to do, according to the management system.

Like google.com and Gmail, sharing cookies;google.com and YouTube.com, using jump, Frame, IMG, and so on, will procured pass through and save cookies.

All in all, the core of all the free records is to save the log procured on the client.

Set the expiration time of the cookie to a bit longer

On the first question, the client remembers the account password is obviously a very layman's performance =_,=

If only cookies are used, then the client should remember the cookie instead of remembering the account password.

The second requirement that you mention, we are generally called "Single Sign-on".

I just Google a bit, find an article, inside the figure should also be a comparative image:

Http://www.cnblogs.com/yupeng/archive/2012/05/24/2517317.html

Answer for the 1th.

In general, the user name and password will not be stored in the cookie, with the session example is to set a server-side unique sid ( 一般叫做sessionid ), at the time of the second login to check the existence of Sid and remember me, both exist, And Sid is able to get data on the server and set the session to log in directly

First question.
Your description contains two ways. The first is the server-side direct read Cookie to verify user information, which is the traditional way. The second is when the user opens the login page, the script inside reads the data from the cookie and then logs in. For the first, it is safe not to keep the user name and password in the cookie in plaintext. For example, Discuz inside the Authcode, you can refer to. But the second because the decryption algorithm in the client, even if not able to read, you can also copy the JS script to reuse, there is a certain danger.

In addition, to save the form browser things, can only be opened or closed by the user, the application is not able to control.

