关于这种用于永久登录(“记住我")的方法,我应该注意任何陷阱吗? [英] Any gotchas I should be aware of regarding this approach to persistent logins ("Remember Me")?
问题描述
此Web应用程序将具有一个数据库表,其中包含列uniqueid(64位int自动增量字段;键),令牌(64字节二进制字段)和一个accountid.
This web application will have a database table with columns uniqueid (64-bit int autoincrement field; key), token (64-byte binary field), and an accountid.
在选中记住我"后登录后,将生成一个随机令牌.然后,此令牌的SHA-512哈希将插入数据库中,并检索生成的唯一ID.包含唯一标识和未哈希令牌的cookie被发送到客户端.
After logging in with "Remember Me" checked, a random token will be generated. Then the SHA-512 hash of this token will be inserted into the database and the generated uniqueid retrieved. A cookie that contains the uniqueid and unhashed token is sent to the client.
每次用户访问带有cookie的页面时,都会对照数据库检查cookie的唯一标识及其令牌的SHA-512哈希值.如果存在与唯一ID匹配的行,并且该行的令牌哈希值与令牌哈希值匹配,请使用该行的帐户ID登录用户.Cookie进行的每次身份验证尝试之后,请删除使用旧的唯一ID的行,如果身份验证成功,则将生成一个新的随机令牌.然后,此令牌的SHA-512哈希将插入数据库中,并检索生成的唯一ID.包含唯一标识和未哈希令牌的cookie被发送到成功通过身份验证的客户端.
Every time a user visits the page with the cookie, the cookie's uniqueid and its token's SHA-512 hash with be checked against the database. If there is a row that matches the uniqueid, and that row's token hash matches the token hash, log in the user with the row's accountid. After every authentication attempt made by the cookie, delete the row that uses the old uniqueid and, if the authentication was successful, generate a new random token. Then the SHA-512 hash of this token will be inserted into the database and the generated uniqueid retrieved. A cookie that contains the uniqueid and unhashed token is sent to the successfully authenticated client.
我将在此处中使用以下技术:出色地.所有失败的Cookie身份验证都会将Cookie设置为空白值,并将过期日期设置为过去的某个时间.
I will be using the techniques described here as well. All failed cookie authentications will have the cookies set to blank values and expiration date set to sometime in the past.
我相信这种方法可以解决有关Cookie的一些问题.即:
I believe this method would address a few concerns regarding cookies. Namely:
-
数据库中的令牌被散列,因此,只要攻击者没有对该数据库的写访问权,他/她将无法伪造所有用户.
The token in the database is hashed so that as long as an attacker does not have write access to the database, he/she will not be able to forge cookies of all users.
使用唯一ID代替用户的帐户名,因为登录凭据永远不应存储在Cookie中.
Unique IDs are used instead of a user's account name because login credentials should never be stored in a cookie.
每次对Cookie进行身份验证时都会生成一个随机令牌这样,如果攻击者窃取Cookie,该cookie的有效期将持续到用户下一次登录,而不是整个用户登录记得.
A random token is generated every time the cookie is authenticated so that if an attacker steals a cookie, it will only be valid until the user next logs in rather than for the entire time the user is remembered.
由于我的整个应用程序都使用HTTPS,因此很难嗅探Cookie.
Cookies will be difficult to sniff because my entire application uses HTTPS.
我可以通过允许用户指定他/她想要被记住多长时间来进一步增强安全性.到期日期将存储在存储唯一ID和令牌的同一数据库表中.每次创建新的cookie时,该有效期将与cookie一起发送.如果用户尝试使用服务器认为已过期但客户端仍然保留的cookie登录,则登录将被拒绝.
I can further enhance security by allowing the user to specify how long he/she wants to be remembered for. The expiration date will be stored in the same database table that stores uniqueid and tokens. Every time a new cookie is created, this expiration will be sent with the cookie. If a user tries logging in with a cookie that the server deems expired but the client still holds, the log in will be denied.
我相信此解决方案是相当安全的,但是在设计此方法时是否有任何陷阱或我忽略的事情?
I believe this solution is reasonably secure, but are there any pitfalls or things that I have overlooked when I designed this method?
来源:
不要将帐户名存储在cookie中,并在每次认证后使用新的唯一ID
推荐答案
在安全性方面,合理总是相对的.:)如果您认为这与面对的威胁相对应,那是合理的.也就是说,如果它是我的应用程序,那么我会做一些事情,我相信我实际上需要保护它免受攻击...
When it comes to security, reasonable is always relative. :) It is reasonable if you think it is appropriate vs. the threats you face. That said, here are a few things I'd do if it were my app and I believed I was actually going to need to protect it from attack...
- 在令牌/b/e中添加一些标记,使您可以关联回原始身份验证事件,然后将其记录在所有cookie操作中.这样,如果有人(当:)被黑客入侵,并且您想弄清楚何时发生了什么,您就可以进行关联.
- 在b/e上,确保将使我所有未完成的令牌失效"作为系统的功能.然后将其自动关联到所有可疑"事件.
- 将地理信息存储在cookie中的b/e中,以及与cookie相对应的行.首先记录它.最终,您将需要做更多的事情.当您研究被黑客入侵的人时,您会发现使用此数据可以做的越来越多的事情.如果没有数据,就无法学习.
- 很多仪器.很多很多的仪器.保留多年.一切都会产生一个事件,并在事件发生时记录您所知道的一切.良好的可视化/查找工具,可用来弄清楚何时发生了什么.
您当然可以做更多的事情,这只是一个入门列表...
There are of course zillions more things you could do, this is just a starter list...
这篇关于关于这种用于永久登录(“记住我")的方法,我应该注意任何陷阱吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
