SessionId/身份验证令牌生成的最佳实践 [英] Best practices for SessionId/Authentication Token generation
问题描述
我见过人们使用UUID生成身份验证令牌.但是,在 RFC 4122 中,指出
I have seen people using UUID for authentication token generation. However, in RFC 4122 it is stated that
不要以为UUID很难猜到;他们不应该被使用 作为安全功能(仅拥有许可的标识符 访问).
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example.
我想知道,例如Java和.NET中使用哪种算法来生成SessionId/AuthenticationToken.在具有比一般安全需求更多的应用程序中,UUID确实不适合这些目的吗?
I was wondering, what algorithms are used for example in Java and .NET for SessionId/AuthenticationToken generation. Is UUID indeed unsuitable for these purposes in an application that has more than average security needs?
推荐答案
UUID
生成是随机的,但是具有不良熵的随机意味着您最终会容易猜出UUID
.如果使用良好的随机数生成器,则可以生成可用于会话的UUID
.但是,要注意的是UUID
没有内置的预防重放,篡改,修复等功能,因此您必须自己处理(阅读:UUID本身不应该本身就被视为有效的会话ID).就是说,这是一个很好的代码片段,说明了如何使用python
生成安全的UUID
:
UUID
generation is random, but random with bad entropy means that you will end up with easy to guess UUID
s. If you use a good random number generator, you can generate UUID
s that can be used for sessions. The catch to this, however, is that UUID
s don't have built-in re-play prevention, tampering, fixation, etc., you have to handle that on your own (read: a UUID by itself shouldn't be considered a valid session ID by itself). That said, here's a good snippet for how you would generate a secure UUID
using python
:
这篇关于SessionId/身份验证令牌生成的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!