开发一个安全的PHP登录和认证策略 [英] Developing a secure PHP login and authentication strategy

问题描述

我正在开发一个新的PHP网站登录和认证制度，对各种攻击和漏洞已经被阅读了。然而，这是一个有点混乱，所以我想检查我的做法是有道理的。

I'm developing a login and authentication system for a new PHP site and have been reading up on the various attacks and vulnerabilities. However, it's a bit confusing, so I want to check that my approach makes sense.

我计划在存储以下数据：

I plan on storing the following data:

• 在会话：用户ID，散列+咸鱼 HTTP_USER_AGENT

• In the session: user-id, hashed + salted HTTP_USER_AGENT

在cookie中，并在数据库：随机令牌，散列+咸鱼标识符

In the cookie and in the database: random token, hashed + salted identifier

在每一页，我打算做以下内容：

On every page, I plan on doing the following:

1. 如果会话存在，验证使用。检查 HTTP_USER_AGENT 相匹配的中存储的会话。

1. If a session exists, authenticate using that. Check that the HTTP_USER_AGENT matches the one in the stored session.

如果会话不存在，使用cookie进行身份验证。检查cookie中的令牌和标识符匹配在数据库中。

If no session exists, use the cookie to authenticate. Check that the token and identifier in the cookie match those in the database.

如果cookie无效或者不存在，询问用户登录。

有没有了任何明显的缺陷？只要我在cookie设置一个超时，我应该是相当安全的，对吗？有什么我失踪？

Are there any obvious flaws in this? As long as I set a timeout in the cookie, I should be fairly safe, right? Is there anything I'm missing?

提前非常感谢。

推荐答案

一些随机的想法：

1. 如果我偷你的一个用户（使用注射在您的网站上一些JS code XSS攻击）的饼干吗？然后，我将下降的情况下，2，从而能够登录。恕我直言，如果你想要一个真正的安全认证，不要使用记住我型cookie来存储用户凭据。


2. 如果你存储在cookie中的凭证，请不要将密码以明文存储。


3. 检查的 HTTP_USER_AGENT 是一个良好的开端，以prevent会话劫持，但也许你可以与IP地址结合起来呢？这是更为困难的是同一台主机不是你的目标不是简单地使用相同的浏览器上。

1. What if I steal the cookie of one of your users (using an XSS attack by injecting some JS code in your website) ? I will then fall in case 2. and thus be able to log in. IMHO, if you want a really secure authentication, do not use "remember me"-type cookies to store user credentials.
2. If you do store the credentials in a cookie, please don't store the password in clear.
3. Checking for the HTTP_USER_AGENT is a good first step to prevent session hijacking, but maybe you could combine it with the IP address ? It is far more difficult to be on the same host than your target than to simply use the same browser.

但在任何情况下，感谢您抽出宝贵思考一个良好的认证方案的时间。很多PHP开发人员不知道。

But in any case, thanks for taking the time of thinking about a good authentication scheme. A lot of PHP developers don't.

编辑：备案，让我在这里澄清一点：有这discusion两个cookie。一个被PHP自动设置为传播会话ID（有时，我们看到的网站把它的URL，例如www.example.com/page.php?sessionId = [...]），而第二个由您创建为了存储用户凭据，当会话丢失验证了他。该XSS攻击适用于，即攻击者可以窃取任何会话cookie并劫持了会议（其中有一个有限的寿命），或窃取的凭证饼干，后来验证。

for the record, let me clarify a point here : there are two cookies in this discusion. One being set automatically by PHP to propagate the session ID (sometimes, we see websites putting it in the URL, eg www.example.com/page.php?sessionId=[...]), and the second one created by you in order to store the user credentials and authenticate him when the session is lost. The XSS attack applies to both, ie an attacker could either steal the session cookie and hijack the session (which has a limited lifetime), or steal the credentials cookie and authenticate later.

这篇关于开发一个安全的PHP登录和认证策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！