问题描述
我已被简单地写2饼干,包含用户ID为1,并含有1/2第二密码的SH1散列(盐腌)。它的工作方式是不言而喻的。
I have been simply writing 2 cookies, 1 containing the user ID, and the 2nd containing 1/2 the SH1 hash of the password (salted). The way it works is self-evident.
我意识到,我不是最安全的方式这样做。请告诉我这样做的更好的办法? preferably使用单一身份验证cookie。
I realized that I wasnt doing this in the most secure way. Whats a better way of doing this? Preferably using a single authentication cookie.
另外,有没有必要使用硬来计算哈希值?我的意思是,使用bcrypt或散列每个项目10000次与漩涡,使之成为(相对)缓慢的散列函数(200 ms和小于1毫秒只是普通的SHA1)?我的意思是,如果有人违反您的数据库并获取哈希....还有什么保障,因为所有的数据是在同一个DB(除非你有某种脱集中设置,这我不的)。
Also, is there a point to using "hard to calculate hashes"? By that I mean, using bcrypt, or hashing each item 10,000 times with whirlpool, to make it a (relatively) slow hash function (200 ms vs less than 1 ms just plain SHA1)? I mean if someone breaches your DB and gets the hashes.... what is there left to protect, since all your data is in the same DB (Unless you have some sort of a de-centralized setup, which I dont).
推荐答案
使用。存储会话ID在cookie中,并存储在服务器端(的loggedIn,用户id,IP)的用户的状态。
use Sessions. Store the session id in the cookie, and store the state of the user on the server side (loggedIn, userId, IP).
要弄清楚你所需要的会话阵列中存储的内容:
To clarify what you need to store in the session array:
- 的loggedIn:有关用户是否登录或没有布尔变量。您重用多个会话相同的cookie,所以你还记得使用者名称下一次他们来到您的网站,等等。
- 用户名:在数据库中的用户的潮头ID。在用户注销后使用此功能来获得用户更多的信息,如用户名,电子邮件等,这也可以保持该会话数组中
- IP::要窃取会话ID,并使用它prevent一个人,你存储用户的IP为好。这是可选的,因为有时候你希望允许用户漫游(如计算器可以让我与我的笔记本电脑无需采取登录我出了IP更改时)。
- lastPing:的时间戳用户最后一次露面。这可以用来代替该cookie的过期日期。如果您还存储会话的寿命,然后就可以注销用户由于不活动。这意味着,会话cookie可以存储在用户的计算机上为很长的时间。
- loggedIn: A boolean variable about whether the user is logged in or not. You reuse the same cookie for multiple sessions, so you remember the users username next time they come to your site, etc.
- userId: The uniqe id of the user in the database. Use this to get more information on the user, like username, email etc. This too can be kept in the session array after the user logs out.
- IP: To prevent someone from stealing the session id and using it, you store the IP of the user as well. This is optional, as sometimes you want to allow the user to roam (eg, stackoverflow allows me to move about with my laptop without logging me out when the IP changes).
- lastPing: The timestamp the user was last seen. This can be used instead of the cookie expiration date. If you also store the lifetime of the session, then you can log the user out due to inactivity. This means that the session id cookie can be stored on the users computer for a very long time.
当用户注销或注销由于不活动,您只需设置的loggedIn
为false。当用户使用正确的用户名和密码,您设置的loggedIn
来真正的登录和更新等领域(用户ID,IP,寿命)。当用户加载一个页面,检查 lastPing
对当前时间和寿命
,并且无论是更新<$的C $ C> lastPing 或注销用户。
When the user logs out or is logged out due to inactivity, you simply set loggedIn
to false. When the user logs in with the right username and password you set loggedIn
to true and update the other fields (userId, IP, lifetime). When the user loads a page, you check the lastPing
against the current time and the lifetime
, and either update lastPing
or logout the user.
会话数据可以被存储在文件系统或数据库中。如果存储在数据库中,那么用户id可以是一个外键用户记录,或所有的数据可以放在用户记录
The session data can either be stored in the filesystem or in a database. If stored in a database, then userId is either a foreign key to the user record, or all the data can be put in the user record.
老调重弹的值几次是不是一个好主意,因为你。而使用的盐,结合静态盐(例如页面的名称)以及该用户的用户名,与口令一起。这需要很长的时间哈希是不是比快散,导致在一个大的摘要是不是导致在很短的摘要(由于蛮力)的哈希更好的哈希好。使用SHA1应该是一个正常的网站(IE,不是银行或秘密军事组织)的足够好了。
rehashing a value several times is not a good idea, because you reduce the security. Instead use salt, combining a static salt (name of the page for example) and the username of the user, together with the password. A hash that takes a long time isn't better than a fast hash, a hash that results in a large digest is better than a hash that results in a short digest (due to brute force). Using SHA1 should be good enough for a normal site (IE, not a bank or a secret military organization).
这篇关于什么做在PHP中用户身份验证的最好方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!