如何将用户的LDAP密码存储在Cookie中? [英] How should I store a user's LDAP password in a cookie?
问题描述
所以我有这种黑箱身份验证方法,从帐户人交给我,这基本上等于 ldap_bind($ connection,$ username,$ password)。但是,当然,我希望我的用户能够登录,比如说,每次30天。
天真但不安全的方式处理这是为了在明文Cookie中存储用户名和密码,然后在每次用户访问时使用我的黑盒验证这些。
工作,但不是因为我的黑盒是将用户的密码存储在数据库(或存储它散列?),并将散列的版本存储在cookie中,然后比较这些值。这不工作在这里,因为我的黑盒要求实际的密码,而不是哈希密码。
我当前的想法是某种加密(相对于散列)。但是,由于这显然是一个常见的问题,我想我最好先询问一下是否有一个更好的解决方案,或者如果不是,你会建议加密/解密方法。
这不会真正回答你的问题,但你不应该存储用户的密码,甚至不加密。
如果你真的需要这样做,用户会理解你在做。然后将密码存储在应用程序的数据库中(当然是加密的),然后向用户发送带有散列的Cookie。当用户想要登录时,比较哈希值与您存储的哈希值,然后才将未加密的密码发送到ldap。不要将密码(甚至不加密)发送到用户的计算机。
同样,这是一个很糟糕的做法。如果ldap不允许你存储会话/密码,那么这可能是一个很好的理由。
So I have this black box authentication method, handed down to me from the accounts people, which basically amounts to ldap_bind($connection, $username, $password). But of course, I want my users to be able to log in for, say, 30 days at a time.
The naive but insecure way to handle this is to store the username and password in plaintext cookies, then validate these using my black box every time the user visits.
The way that usually works but doesn't because of my black box is to store the user's password in the database (or store it hashed?), and store the hashed version in the cookie, and then compare the values. This doesn't work here since my black box demands the actual password, not a hashed password.
My current thought is some kind of encryption (as opposed to hashing). But since this is obviously a common problem, I thought I'd best ask around first to see if there's a better solution lying around, or if not, what you would suggest for the encryption/decryption method.
This will not really answer your question, but you should NOT store your users passwords, not even encrypted.
If you really really have to do it, and the users understand that you are doing it. then store the password in a database of your application (encrypted, of course) and then send the user a cookie with a hash. When the user wants to login, compare the hash to what you stored and only then send the unencrypted password to the ldap. Never send the password (not even encrypted) to the user's machine.
Again, this is a very bad practice. if the ldap does not allow you store sessions/passwords then there is probably a good reason for this.
这篇关于如何将用户的LDAP密码存储在Cookie中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
