如何在浏览器中加密Cookie密码 [英] How to encrypt cookie password in browser

问题描述

我正在实现记住我功能以进行登录.我将jquery用作以下代码，但该代码的一大缺点是，正如我在下面提到的代码片段，将纯文本密码存储到浏览器中一样，它不安全，谁能告诉我如何实现安全的remember me

I am implementing remember me functionality to login. I used jquery as following code but big disadvantage from that code as I mentioned below code snippet, Plaintext password storing into browser, Its not secure can any one tell me how to implement safe and secure remember me

$("#login_form").ready(function() { 
    $('#username').val($.cookie('username')).change();
    $('#password').val($.cookie('password')).change();    
    //alert($('#password').val($.cookie('password')).change());  
    $('#remember').click(function()
    {
       var username = $('#username').val();
       var password = $('#password').val();    
       // set cookies to expire in 30 days
       $.cookie('username', username, { expires: 30 });
       $.cookie('password', password, { expires: 30 });        
    });
});

推荐答案

做到这一点的方法是制作一个随机(psudo random)密钥，并且不公开任何用户信息，例如密码或登录名.您可以使用

The way to do this is to make a random ( psudo random ) key and not expose any user information such as a password or login. You can make a easy key for this using

sha1($login.mirotime().rand(0,10000));

还有一个简单的表，用于创建与用户帐户的关系.如果您仅使用登录名，那么我可以轻松创建一个cookie并破解您的用户帐户.如果您公开密码，则进行同样的处理.如果您对密码进行加密，则需要进行2种方式的加密.这与最弱的加密类型有关，并且正确执行加密的复杂性使其与制作简单的随机密钥和要使用的表的工作量大致相同.更不用说您可以在表格中放置过期字段，和/或在正确设置后将其用于丢失的密码重置.

And a simple table to create a relationship back to the user account. If you use just the login, then I could easily create a cookie and hack your user accounts. If you expose the password, same deal. If you encrypt the password it would need to be 2 way encryption. Which is about the weakest type of encryption, and the complexity in doing that right makes it about the same effort as making a simply random key and a table to use. Not to mention you can put an expire field in the table, and / or use it for lost password resets once properly setup.

这就是我通常所说的护照.另一件事是，您可以设置一些蛮力保护并延迟猜测密钥的尝试.通常，这可以通过跟踪尝试和ip地址，然后在多次尝试失败后延迟它们来完成(尽管这超出了此答案的范围).

This is what I typically refer to as a passport. Another thing you can setup some brute force protection and delay attempts to guess a keys. Typically this could be done by tracking attempts and ip addresses and then delaying them after so many failed attempts ( that is a bit outside the scope of this answer though ) .

这篇关于如何在浏览器中加密Cookie密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！