在会话中存储密码是否安全? [英] Is it secure to store a password in a session?
问题描述
我需要在会话中经常使用密码。我用一个被密码加密的密钥来掩饰我的用户数据。所以有我的问题。在php会话中存储明文密码是安全的(不是cookie,所以非客户端)?有没有更好的办法?或者我应该每次询问我的用户密码?
I need to use the password often in a session. I'm crypting my userdata with a key that is crypted by the password. So there is my question. Is it secure to store plaintext passwords in a php session (not a cookie, so non clientside)? Is there a better way? Or should i just ask my user every time for the password?
我使用phpseclib加密用户密码的rsa的私钥。每次我想要访问密钥我需要密码。我有两个选择:我存储密码或密钥,我认为两者都不是很好。我不能使用passwordhash进行加密,因为哈希存储在数据库中的明文中。
I encrypt the privatekey of rsa with the userpassword using phpseclib. Everytime I want access to the key I need the password. I have two options: Either I store the password or the key which is I think both not really good. I can't use the passwordhash for the encryption, cause the hash is stored in "plaintext" in the database...
推荐答案
以任何身份保持明文密码通常是一个坏主意。会话是安全的,但只能像您的其他服务器环境一样安全。管理员或其他合法和恶意的用户都可以访问存储在其上的数据。如果您能避免这种情况,您永远不需要处理您的客户的秘密这也意味着您希望在任何情况下避免看到用户的密码,您应该以明文密码与技术上可能的短暂密码一起构建您的代码。
Keeping plaintext passwords anywhere in any capacity is usually a bad idea. Sessions are safe as such, but only as safe as the rest of your server environment. Administrators or other users both legitimate and nefarious may have access to data stored on it. You never want to handle the secrets of your customers if you can avoid it; that also means you want to avoid seeing the user's password under any circumstances and you should build your code in a way that the plaintext password is as short lived as technically possible.
如果您需要在会话期间使用密码,您应该构建您的应用程序,以免使用明文密码,但使用 密钥导出函数 从导出一个密钥,然后用于您的敏感任务。这样一来暴露用户密码的机会就会更少。请记住,用户唯一的安全是他的密码的保密,只有他应该知道。
If you need to use the password for something during a session, you should architect your app so it never uses the plaintext password, but use a key derivation function to derive a key from the password which you then use for your sensitive tasks. This way there's a lot less chance to expose the user's password. Remember, the only security the user has is the secrecy of his password that only he is supposed to know.
这篇关于在会话中存储密码是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
