我应该用什么在PHP中验证用户身份? [英] What should I use for user authentication in PHP?
问题描述
我的想法写我自己的验证脚本,但我不知道很多有关安全。
I was thinking of writing my own authentication script but I don't know much about security.
从我读的文章,它看起来像它通常涉及与盐散列密码并将其存储在数据库中。然后,当用户请求登录,密码散列,并与数据库进行比较。如果它匹配,则该用户的数据被存储在$ _SESSION
From the articles I've reading, it looks like it usually involves hashing the password with a salt and storing it in the database. Then when user requests to log in, password is hashed and compared with the database. If it matches, then the user's data is stored in $_SESSION.
不过,我不知道这是否是安全的或没有。我读了一些关于在数据库中存储会话密钥,但我不知道如何工作的,或如何实现这一点。
However, I don't know if this is secure or not. I read something about storing session keys in the database but I'm not sure about how that works, or how to implement that.
有人能解释如何实现安全认证?
Can someone explain how to implement secure authentication?
此外,是否有这很容易学习,而不是写我可以将PHP的认证库中的任何建议我自己?
Also, are there any suggestions for PHP authentication libraries I can incorporate that are easy to learn instead of writing my own?
推荐答案
检查<一href=\"http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919\">this回答这里。
虽然答案是3岁,建议 phpass 库是最新的。
Although the answer is 3 years old, the suggested phpass library is up to date.
此外,+1阿隆Cederholm。密码安全是一个广泛的主题,你应该先看看这里已经讨论StackOverflow上相关的问题,所以你会更熟悉安全主体和最佳实践。
Also, +1 to Aron Cederholm. Password security is an extensive subject and you should look first at the related questions already discussed here on StackOverflow so you will be more familiar with the subject and best practices in security.
虽然我喜欢框架( Symfony的, Zend的等),因为它们通常实现这些好的做法,只是使用起来不会让你一个好的程序员。你必须去学习它的内部运作。我总是敬礼程序员dwelving到编码自己的安全认证机制(只要他们没有实现在一个活的网站,真正需要强大的安全性),因为这是学习和理解这个问题的胆的最佳途径。总是从现有的实现开始,然后用它作为创建自己的codeBase的一个例子。
Although I like frameworks (Symfony, Zend, etc) as they generally implement these good practices, just using them don't make you a good programmer. You have to learn its inner workings. I always salute a programmer dwelving into coding his own secure authentication mechanism (as long as they don't implement it in a live site that really needs strong security), because that's the best way to learn and understand the inners of the subject. Always start from an existing implementation, and THEN use that as an example for creating your own codebase.
这篇关于我应该用什么在PHP中验证用户身份?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
