生成安全cookie令牌以持久存储 [英] Generating a secure cookie token to store persistently
问题描述
我正在尝试为我的网站创建登录和注册页面。我希望使用cookie来跟踪用户会话,但我正在尝试以最恰当和安全的方式实现它。我已经尝试过查看教程和论坛,但其中大部分已经过时,并且使用人们评论不安全的技术。我理解令牌需要随机生成和加密,所以我发现一个建议在UUID上使用MessageDigest的响应。但是我发现有更多的文章表明这可能不像我想的那样安全......有关生成cookie标记以存储在我的数据库中的安全方法的任何建议吗?
I am trying to create a login and register page for my website. I am looking to use cookies in order to track a users session however I'm trying to implement it in the most proper and secure way. I've tried looking at tutorials and forums but most of them are outdated and use techniques that people comment are not secure. I understand tokens needs to be randomly generated and encrypted so I found one response that suggested to use a MessageDigest on UUID. But I found more articles suggesting that this may not be as secure as I think... Any suggestions on a secure way to generate cookie tokens to store in my db?
当我尝试使用UUID方法时,我遇到了如何将其放入我的数据库,因为我无法找到如何将其转换为字符串。这是我的代码......
When I tried using the UUID method I got stuck on how to place it into my db since I'm having trouble finding how to turn it into a string. Here is my code...
UUID uuid = UUID.randomUUID();
MessageDigest salt = MessageDigest.getInstance("SHA-256");
salt.update(uuid.toString().getBytes("UTF-8"));
推荐答案
你当前的方法很糟糕。考虑我是否是攻击者,我知道我的受害者UUID是某个值 x 。然后,我可以简单地使用 x 的SHA-256哈希值,并将其作为cookie存储在您的网站上。田田。我现在正在模仿我的受害者。
Your current method is, well, rather terrible. Consider if I, an attacker, learnt that my victims UUID is some value x. I could then simply take the SHA-256 hash of x and store this as a cookie on your website. Tada. I'm now impersonating my victim.
在说,为登录系统生成令牌的一种非常安全的方法是相对类似的。请考虑以下JSON对象:
In saying that, a very secure way to produce tokens for login systems is something relatively similar. Consider the following JSON object:
{ "expiry": "1:30:00 24/10/2012", "userID": "F68D4A77DC34" }
如果我们在客户端将此JSON对象存储为cookie,这将是一个很好的方法来确定我们的用户是谁以及此对象何时到期以及用户是否需要再次登录。
If we stored this JSON object as a cookie on the client-side, it would be an excellent way to determine who our user is and when this object expires and the user needs to login again.
但是等等,这不起作用,因为任何人都可以更改用户ID或过期而服务器不知道!
But wait, this won't work, because anyone could change the user ID or the expiry and your server won't know!
我们可以通过引入HMAC轻松解决这个问题。 HMAC是哈希消息认证码。我们首先生成(曾经,一次)随机HMAC密钥 k ,以便在服务器上使用。此密钥应保留在服务器上,永远不会被传输。
We can solve this easily by introducing an HMAC. An HMAC is a Hashed Message Authentication Code. We first generate (once, ever) a random HMAC key, k, to use on the server. This key should remain on the server and never be transmitted.
当用户登录时,我们创建一个类似于上面的JSON对象,然后通过HMAC提供它(例如,HMAC-SHA256)将 k 作为键,然后将此结果作为base64编码的字节追加到JSON对象。它有时也有助于使用分裂字符,比如。。
When a user logs in, we create a JSON object similar to the one above and then feed it through an HMAC (say, HMAC-SHA256) with k as the key, and then append the result of this to the JSON object as base64 encoded bytes. It sometimes helps to use a splitting character too, say ".".
然后我们最终得到以下结果:
We then end up with the following:
{ "expiry": "1:30:00 24/10/2012", "userID": "F68D4A77DC34" }.ScvlfpUDqgxtDPH4jsK44d+4cMNG+5yCvASJkVEI11o
这个令牌可以很好地使用,但有些人喜欢base64编码JSON。我们最终在这种情况下是这样的:
This token would be fine to use exactly like that, but some people like to base64 encode the JSON too. We end up with something like this in that case:
eyAiZXhwaXJ5IjogIjE6MzA6MDAgMjQvMTAvMjAxMiIsICJ1c2VySUQiOiAiRjY4RDRBNzdEQzM0IiB9.ScvlfpUDqgxtDPH4jsK44d+4cMNG+5yCvASJkVEI11o
我们很容易通过获取JSON对象,再次执行相同的操作,然后比较结果来验证此令牌是否合法HMAC与附加到令牌的HMAC。如果它们匹配,我们知道我们的服务器生成了令牌并且它是合法的。
It is easy for us to verify that this token is legitimate by taking the JSON object, performing the same operation again, and then comparing the result of the HMAC with the one that is attached to the token. If they match, we know that our server generated the token and that it is legitimate.
这篇关于生成安全cookie令牌以持久存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
