在哪里存储网站密码盐的最佳位置? [英] Where is the best place to store the password salt for the website?

问题描述

我有两种盐，每个用户都有一个唯一的盐，该盐与用户信息一起存储在数据库中.第二种盐是特定于网站的盐.都需要对密码进行哈希处理.

I have two salts, each user has a unique salt that is stored with the user info in the database. The second salt is one that is specific to the website. Both are needed to hash the passwords.

问题是我不知道该在哪里保留我的网站.现在，它位于运行哈希算法的PHP方法中.我应该将其保存在/var/www/之外的文件中，并打开PHP并读取该文件吗?我不想将其存储在数据库中，因为如果我的数据库遭到破坏，那将使具有两种盐的目的无法实现.

Problem is I don't know where I should keep my website salt. Right now it resides in the PHP method that runs the hashing algorithm. Should I keep it in a file outside the /var/www/ and have PHP open and read the file? I don't want to store it in the database because that would defeat the purpose of having two salts should my database be compromised.

有什么建议吗?

推荐答案

尚未提及一个选项?服务器提供的环境变量.您可以在httpd.conf或.htaccess中进行操作.由于Apache不提供.htaccess文件，因此您不必担心将其隐藏得太多...

One option not mentioned yet? An environmental variable served by the server. You can do it in httpd.conf, or in a .htaccess. Since Apache doesn't serve .htaccess files, you don't need to worry about hiding it as much...

SetEnv WEBSITE_SALT 232lhsdfjaweufha32i4fv4239tauvkjn

这样，您在应用程序中所需要做的就是$salt = getenv('WEBSITE_SALT');.这样做的好处是它对应用程序是透明的...

That way, all you need to do in your application is $salt = getenv('WEBSITE_SALT');. The benefit here is that it's transparent to the application...

这篇关于在哪里存储网站密码盐的最佳位置?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！