安全地存储两次访问之间的凭据 [英] Safely store credentials between website visits

问题描述

我正在建立一个网站，该网站允许用户创建帐户并访问该网站的内容.我不希望用户每次访问该网站时都进行登录，因此我打算将用户名和密码存储在Cookie中-但是，我听说这是一种不好的做法，即使密码已散列在其中Cookie.

I'm building a website which allows users to create accounts and access the site's content. I don't want users to log in each time they visit the site, so I'm planning on storing the username and password in a cookie -- however, I've heard this is bad practice, even if the password is hashed in the cookie.

我应该遵循哪些最佳做法"以安全地记住两次访问我的网站之间的用户凭据?

What "best practices" should I follow to safely remember of a users credentials between visits to my website?

推荐答案

永远不要这样做.乱扔密码.

Don't ever do that. Throwing around passwords in the open.

最安全的方法:

将用户名存储在数据库中，在同一行中随机生成一个盐值，在同一行中密码的哈希校验和(包括盐).将另一个表用于使用用户凭据引用该表的会话.当用户登录您希望会话过期的日期时(例如15天后)，您可以在会话表中插入.将会话ID存储在cookie中.

Store the username in a database, in the same row a randomly generated salt value, in the same row a hash checksum of the password including the salt. Use another table for sessions that references the table with user credentials. You can insert in the sessions table when the user logs in a date you want the session to expire (eg. after 15 days). Store the session id in a cookie.

下次用户登录时，您将获得密码，为用户添加盐，对哈希进行geter处理，然后将其与您拥有的密码进行比较.如果它们匹配，请通过在会话表中插入一行并在cookie中发送会话ID来打开会话.您可以通过此cookie检查用户是否已登录以及是哪个用户.

Next time the user logs in, you get the password, add to it the salt for the user, geterate the hash, compare it to the one you have. If they match open a session by inserting a row in the sessions table and sending the session id in a cookie. You can check if the user has logged in and which user it is by this cookie.

此方法是大多数网站上使用最普遍的方法.它在安全和实用之间达到了很好的平衡.

This method is the most popular in use on most sites. It hits a good balance between being secure and practical.

您不只是将自动增量值用作会话ID.您可以通过使用一些难以重复的复杂校验和来做到这一点.例如，将用户名，时间戳记，盐，另一种随机盐串联起来，然后使用md5或sha校验和.

You don't simply use an autoincrement value for the session id. You make it by using some complicated checksum which is hard to repeat. For example concatenate username, timestamp, salt, another random salt, and make an md5 or sha checksum out of it.

为了实现涉及网站/服务中用户凭证的功能，大多数客户端和服务器之间需要进行一些与凭证相关的数据交换.这会将数据暴露给中间附件等中的人.此外，Cookie存储在用户硬盘中.没有一种方法可以100％安全.

In order to implement a feature that involves user credentials in a website/service there most be some exchange of data related to the credentials between the client and the server. This exposes the data to man in the middle attacs etc. Additionally cookies are stored in the users harddrive. No method can be 100% safe.

如果您想提高安全性，可以使您的网站通过https进行访问.这将防止人们在中间攻击中使用人来窃取Cookie和密码.

If you want additional security you can make your site go over https. This will prevent people from stealing cookies and passwords using man in the middle attacks.

注意:

让IP地址参与其中并不是一个好主意.大多数情况下，多个客户端将通过NAT等来自同一IP地址.

Involving IP addresses in the mix is not a really good idea. Most often multiple clients will come from the same IP address over NATs etc.

这篇关于安全地存储两次访问之间的凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！