PHP使用Cookie和Salted Hashes的登录系统 [英] PHP Login system using Cookies and Salted Hashes

问题描述

我正在开发一个基于PHP的登录系统。
每个用户都有一个ID（一个数字）和一个密码，它存储为一个盐化的哈希。

我可以弄清楚，成功与否，但现在我需要将信息存储在某个地方（以便用户不会永久退出）。

在过去，我玩过$ _SESSION变量。然而，当用户离开浏览器时，这些似乎被删除，这是不希望的。
此外，我不能假设用户不会试图欺骗系统，所以它必须是安全的。

因此，这里是我的问题：

1. 我应该使用 $ _ SESSION 或 $ _COOKIE ？


2. 这些方法的主要优点是什么？


3. 如何实现记住我复选框？会话/ Cookie变量？

请注意，在此特定问题中未考虑数据库安全问题。

关于数字3，我的意思是：

• 我应该存储ID和散列密码/


• 应在Cookie /会话中存储用户的ID和非哈希密码，还是


• 我应该存储SessionID和密码（散列或非散列吗？）或


• 是否应存储SessionID，ID再次，散列或非散列）？

我想保持我的网站安全，但效率和用户友好。
如果采用基于SessionID的方法，我也会对如何将它存储在数据库中有一些解释。

提前感谢您

编辑：Eran和Brian的答案似乎是我需要的。不幸的是，我只能将其中一个标记为接受。

解决方案

我要重申Eran的观点永不存储用户密码，甚至在会话或Cookie数据中存储密码的哈希值。

一般来说，我使用Cookie在网络应用程序中实现了记住我的功能。有关构建安全持久登录系统的信息，最好从这个博客张贴在鱼缸上。 另一个Stack Overflow answer 已涵盖了深入的答案。

如果您需要确保登录安全，您必须使用https。这是因为如果Cookie或会话未加密，Cookie或会话可能会被盗。

另一个好的做法是使用2级登录系统。您可以在亚马逊等网站上看到这些信息，您可以在不登录的情况下将内容添加到您的购物车，但如果您想以某种方式结帐或修改帐户，则必须再次输入密码。

I am developing a PHP-based login system. Each user has an ID(a number) and a password, which is stored as a salted hash.

I am able to figure out if a login is sucessful or not, but now I need to store that information somewhere(so that the user is not permanently logged out).

In the past, I've played with $_SESSION variables. However, these seem to be deleted when the user leaves the browser, which is undesired. Also, I can not "assume" that the user won't try to trick the system, so it has to be safe.

So, here are my questions:

1. Should I use $_SESSION or $_COOKIE? What are the main advantages of each of these approaches?
2. How to implement a 'Remember me' checkbox?
3. Which information should be stored in the session/cookie variable?

Note that no database security issues are being taken in consideration in this particular question.

Regarding number 3, what I mean exactly is:

• Should I store the ID and the hashed password of the user in the cookie/session, or
• Should I store the ID and the non-hashed password of the user in the cookie/session, or
• Should I store a "SessionID" and the password(hashed or non-hashed?) or
• Should I store a "SessionID", the "ID" and the password(once again, hashed or non-hashed)?

I want to keep my website as safe but efficient and user-friendly as possible. If a SessionID-based approach is taken, I'd also appreciate some explanation regarding how to store it in the database.

Thank you in advance

EDIT: Eran's and Brian's answers combined seem to be what I need. Unfortunately, I can only mark one of them as accepted. I'll try to go ahead and implement to see which one was more useful.

解决方案

I want to reiterate Eran's point never store the users password or even a hash of the password in session or cookie data.

In general I've implemented the remember me functionality in web apps using Cookies. A good place to start for information on building a "secure" persistent login system is this blog post on the fishbowl. An in-depth answer is already covered in another Stack Overflow answer.

If you need to have ensure that the login is secure you have to use https. This is because cookies or sessions can be stolen if they aren't encrypted.

Another good practice to follow is the 2-level login system. You can see this at sites like Amazon, where you can add things to your cart without logging in but if you want to checkout or edit your account in some fashion you have to enter your password again.

这篇关于PHP使用Cookie和Salted Hashes的登录系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！