Django应用中的密码字符串比较 [英] Password string comparison in Django app

问题描述

根据设计，不可能在任何Django应用中获取用户密码。

It's impossible to get passwords of a user in any Django app, by design.

我正在为Django应用实现更改密码功能，其中一项要求是确保用户

I'm implementing a change password feature for my Django app, and one of the requirements is to ensure users don't keep a new password that's the same as their previous one.

在这里我不能进行字符串比较，那么在这种情况下可以遵循的最佳模式是什么？

I can't do string comparison here, so what's the optimal pattern to follow in this case?

这就是我的想法：访问我的更改密码功能需要重新验证（即用户必须输入再次通过）。我可以想到此时将密码字符串保存在会话变量中（例如 session.request ['old_password'] ），然后将该会话变量与用户设置的新密码？

Here's what I'm thinking: accessing my change password feature requires re-auth (i.e. users have to input the pass again). I can conceivably save the password string in a session variable at this point (e.g. session.request['old_password']), and then compare this session variable with the string of the new password the user sets? Any security concerns with this kind of a pattern?

推荐答案

您不需要在会话中存储旧密码吗？也不应该。由于会话数据已保存在会话存储区中，并且在更改密码的短暂时间内保存，因此它们以纯文本格式存在。从理论上讲，攻击者可以使用数据库事件或触发器来捕获这些纯文本密码对象。更好的方法是使用django内置的密码功能。

You don't need to store the old password in a session and you shouldn't either. Because the session data get's saved in the session storage and for that brief period when the password is being changed, it's there in plain text format. Theoretically an attacker could use a database event or trigger to capture these plain text password objects. The better approach would be to use django's built in password functions.

check_password（密码，已编码）如果您想手动
来认证a用户通过将纯文本密码与数据库中散列的
密码进行比较，可以使用便捷功能
check_password（）。它有两个参数：用于
检查的纯文本密码，以及用于检查数据库
中用户密码字段的完整值，如果匹配则返回True，否则返回False。

check_password(password, encoded) If you’d like to manually authenticate a user by comparing a plain-text password to the hashed password in the database, use the convenience function check_password(). It takes two arguments: the plain-text password to check, and the full value of a user’s password field in the database to check against, and returns True if they match, False otherwise.

在您的情况下，您需要创建一个自定义表单，该表单将其作为clean（）方法的一部分进行调用。如果上述函数调用返回true，则需要引发一个验证错误，指出正在重用旧密码。

In your case you would need to create a custom form, that calls this method as part of it's clean() method. If the above function call returns true, you need to raise a validation error saying the old password is being reused.

这篇关于Django应用中的密码字符串比较的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！