CouchDB的验证 [英] CouchDB Authentication
问题描述
我读过关于CouchDB的验证很多东西,特别是关于Cookie身份验证。
我还在做一些测试,一切似乎与此命令运行良好,例如:
I've read a lot of things about authentication in CouchDB, especially regarding the Cookie Authentication. I'm still making some tests and all seems working well, for instance with this command :
卷曲-vx POST $ HOST / _session -H应用程序/ x-WWW的形式urlen codeD'-D'名称=富&放大器;密码=栏
curl -vX POST $HOST/_session -H 'application/x-www-form-urlencoded' -d 'name=foo&password=bar'
我得到一个Cookie,我可以使用。
但我的观点是,任何时候我看到那种认为在网络上的样品,用户名和密码以纯文本始终发送。
I get a Cookie that I can use. But my point is, anytime I see think kind of sample on the Web, the username and password are always sent in plain text.
我真的很新的安全,但什么,如果我先送我的凭据明确的Cookie验证方法的兴趣呢?
I'm really new to security but what's the interest of the Cookie Auth method if I first have to send my credentials in clear ?
有没有一种方法至少发送密码哈希?
随着类似的东西IDK:
Is there a way to send at least the password hashed ? With something like that IDK :
卷曲-vx POST $ HOST / _session -H应用程序/ x-WWW的形式urlen codeD'-D'名称=富&安培; hashed_password = hashed_bar
curl -vX POST $HOST/_session -H 'application/x-www-form-urlencoded' -d 'name=foo&hashed_password=hashed_bar'
干杯
阿尔诺
推荐答案
如果您发送您的密码哈希比所有攻击者需要知道的是你的哈希密码所以它不会解决以明文发送密码的问题 - 现在你会在发送的明文散列的问题。
If you send your password hashed than all the attacker needs to know is your hashed password so it wouldn't solve the problem of sending your password in cleartext - now you would have a problem of sending your hash in cleartext.
还要记住,即使你解决仍然会发送您的cookie以明文的形式是容易受到会话劫持的问题。
Also remember that even if that solved the problem you would still be sending your cookie in cleartext being vulnerable to session hijacking.
(另外还有HTTP摘要访问认证,但并非没有自己的问题 - 但CouchDB的不支持它,我反正检查最后一次)
(There's also the HTTP digest access authentication but not without its own problems - but CouchDB didn't support it last time I checked anyway.)
你应该做的是,为始终使用https与任何网络的任何身份验证CouchDB的访问涉及也许除了127.0.0.0网络。
What you should do is to always use HTTPS for any authenticated CouchDB access with any network involved, except maybe the 127.0.0.0 network.
(是的,pretty太多的所有网页的和实例的书籍显示了使用通过HTTP这在我看来是一个等待发生的灾难的基本或cookie认证。)
(And yes, pretty much all of the examples on the web and in books show using basic or cookie authentication over HTTP which in my opinion is a disaster waiting to happen.)
这篇关于CouchDB的验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
