正确的方式来安全地存储来自OAuth的令牌/ secret / etc？ [英] Correct way to safely store token/secret/etc from OAuth?

问题描述

我刚开始调查OAuth，看起来很不错。我现在已在ruby中 oauth与Twitter工作 。

I just started looking into OAuth and it looks really nice. I have oauth with twitter working in ruby right now.

现在我想知道，在本地数据库和会话中存储响应的推荐安全方法是什么？

Now I'm wondering, what is the recommended safe way to store the responses in my local database and session?

• 我应该存储什么？


• 我应该在哪里存储？

此示例 twitter-oauth- with-rails 应用程序在会话中存储了一个 user.id ，用户表具有令牌和 secret 。但是，这似乎很容易黑客和得到的秘密，只是传递一个测试用户id，没有？

This example twitter-oauth-with-rails app stores a user.id in the session, and the user table has the token and secret. But that seems like it'd be really easy to hack and get the secret by just passing in a slew of test user ids, no?

推荐答案

如果没有你的twitter应用的消费者密钥/秘密，这些令牌是无用的，因为它们对于每个应用都不一样，但依赖于消费者密钥/秘密。

The tokens are useless without the consumer key/secret of your twitter app as they're not the same for every app but depend on the consumer key/secret.

要获得一个会话变量，你必须猜测会话ID，这是不容易完成。

To get a session variable you would have to guess the session id which is not that easy to accomplish.

如果你想，你可以存储这些令牌在会话中，但我建议使用所有其他用户数据将用户令牌存储在数据库中，因此您的会话只包含用于识别系统中用户的数据。

If you want you can store those tokens in the session but I would suggest storing the user tokens in your database with all the other user data so your session contains only the data to identify the user in your system.

更新： m不确定我是否通过猜测ID从数据库中访问令牌来正确理解您的意思。

Update: I'm not sure if I understand correctly what you mean by accessing the tokens from the database by guessing an ID.

您有任何身份验证，以便用户必须输入一些凭据以访问他们的数据？您应该按照存储用户电子邮件地址或密码的方式存储令牌，只有经过身份验证的用户才能访问。

Do you have any authentication in place so that the users have to enter some credentials to access their data? You should store the tokens the same way you store the users email address or password and only authenticated users should be able to access it.

这篇关于正确的方式来安全地存储来自OAuth的令牌/ secret / etc？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！