任何陷阱我应该知道这种方法持久登录(“记住我”)? [英] Any gotchas I should be aware of regarding this approach to persistent logins ("Remember Me")?
问题描述
此Web应用程序将有一个数据库表,其中包含列uniqueid(64位int自动递增字段;键),令牌(64位二进制字段)和一个accountid。
This web application will have a database table with columns uniqueid (64-bit int autoincrement field; key), token (64-byte binary field), and an accountid.
选中记住我后,将生成一个随机令牌。然后将该令牌的SHA-512哈希值插入到数据库中,并检索生成的uniqueid。
After logging in with "Remember Me" checked, a random token will be generated. Then the SHA-512 hash of this token will be inserted into the database and the generated uniqueid retrieved. A cookie that contains the uniqueid and unhashed token is sent to the client.
每当用户使用Cookie访问网页时,Cookie的唯一ID及其令牌的SHA-512都会被发送到客户端。将针对数据库检查哈希。如果有一行与uniqueid匹配,并且该行的令牌哈希与令牌哈希匹配,则使用该行的accountid登录用户。在Cookie做出每次认证尝试后,删除使用旧的唯一ID的行,如果认证成功,则生成新的随机令牌。然后将该令牌的SHA-512哈希值插入到数据库中,并检索生成的uniqueid。包含uniqueid和unhashed标记的Cookie会发送到已成功认证的客户端。
Every time a user visits the page with the cookie, the cookie's uniqueid and its token's SHA-512 hash with be checked against the database. If there is a row that matches the uniqueid, and that row's token hash matches the token hash, log in the user with the row's accountid. After every authentication attempt made by the cookie, delete the row that uses the old uniqueid and, if the authentication was successful, generate a new random token. Then the SHA-512 hash of this token will be inserted into the database and the generated uniqueid retrieved. A cookie that contains the uniqueid and unhashed token is sent to the successfully authenticated client.
我将使用此处。所有失败的Cookie验证都会将Cookie设置为空白值,并将过期日期设置为过去的某个时间。
I will be using the techniques described here as well. All failed cookie authentications will have the cookies set to blank values and expiration date set to sometime in the past.
我相信这种方法可以解决有关Cookie的几个问题。即:
I believe this method would address a few concerns regarding cookies. Namely:
-
数据库中的令牌是散列的,因此只要攻击者没有对数据库的写访问权限,
The token in the database is hashed so that as long as an attacker does not have write access to the database, he/she will not be able to forge cookies of all users.
使用唯一ID而不是用户的帐户名称,因为登录
凭证不应存储在cookie中。
Unique IDs are used instead of a user's account name because login credentials should never be stored in a cookie.
每当cookie被认证
时,都会生成一个随机令牌, Cookie只会在用户下次登录的
之前有效,而不会在用户
记住的整个时间内有效。
A random token is generated every time the cookie is authenticated so that if an attacker steals a cookie, it will only be valid until the user next logs in rather than for the entire time the user is remembered.
我可以通过允许用户进一步增强安全性以指定他/她想要记住多长时间。过期日期将存储在存储uniqueid和令牌的同一数据库表中。每次创建一个新的cookie,此过期将与cookie一起发送。如果用户尝试使用服务器认为已过期的cookie登录,但客户端仍然保持,则登录将被拒绝。
I can further enhance security by allowing the user to specify how long he/she wants to be remembered for. The expiration date will be stored in the same database table that stores uniqueid and tokens. Every time a new cookie is created, this expiration will be sent with the cookie. If a user tries logging in with a cookie that the server deems expired but the client still holds, the log in will be denied.
我相信这个解决方案是相当安全的,但是当我设计这种方法时,我有没有任何陷阱或忽略的事情?
I believe this solution is reasonably secure, but are there any pitfalls or things that I have overlooked when I designed this method?
资料来源:
a href =http://stackoverflow.com/a/8508213/444402>数据库中的散列令牌
Hash token in database
不要在Cookie中存储帐户名称,并在每次身份验证后使用新的唯一ID
推荐答案
当谈到安全性,合理总是相对的。 :)这是合理的,如果你认为这是适当的与你面临的威胁。也就是说,这里有一些我会做的,如果它是我的应用程序,我相信我实际上需要保护它免受攻击...
When it comes to security, reasonable is always relative. :) It is reasonable if you think it is appropriate vs. the threats you face. That said, here are a few things I'd do if it were my app and I believed I was actually going to need to protect it from attack...
- 在token / b / e中添加一些东西,使你能够回到原始的身份验证事件,然后在所有cookie操作中记录。这种方式你可以做相关如果(当:))人被黑客,你想弄清楚发生了什么事。
- 在b / e,确保你实现invalidate all我的杰出代币作为系统的一个特点。
- 将地理位置信息存储在cookie / b / e中,并与cookie对应的行。从记录开始。最终你会想做更多。当你研究被黑客攻击的人,你会发现越来越多的事情,你可以做这些数据。如果您没有数据,就无法学习。
- 很多工具。很多很多的仪器。保留多年。一切都得到一个事件,记录在事件发生时你知道的一切。
- Stamp something in to the token / b/e that allows you to correlate back to the original authentication event, then log it in all cookie operations. This way you can do correlation if (when :)) people get hacked and you want to figure out what happened when.
- On the b/e, make sure you implement "invalidate all of my outstanding tokens" as a feature of the system. Then wire this in to all "suspicious" events automatically.
- Store geo information in the cookie / in the b/e with the row that corresponds with the cookie. Start by logging it. Eventually you'll want to do more. As you study people that get hacked you'll find more and more things you can do with this data. If you don't have the data, you can't learn.
- Lots of instrumentation. Lots and lots of instrumentation. Retain it for years. Everything gets an event, log everything you know in that event when it happens. Good visualization / lookup tools that you can use to figure out what happened when.
当然,你还可以做更多的事情,这只是一个起始列表...
There are of course zillions more things you could do, this is just a starter list...
这篇关于任何陷阱我应该知道这种方法持久登录(“记住我”)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
