在Cookie中哈希用户密码 [英] Hashing User password in Cookie
问题描述
我正在尝试设置Cookie,以便可以自动登录用户.
I'm trying to set a cookie so that user can be automatically logged in.
我不希望在对cookie进行身份验证时向数据库查询会话字符串(基本上,每当调用我的大多数API时,我都需要这样做,我想使其速度更快)
I do not want to query DB for session string when authenticating cookies (basically I need to do that whenever most of my APIs are called, I want to make it faster)
我发现的解决方案是在cookie中设置一个哈希值,并在身份验证时尝试对其进行解密,如果解密成功,则登录用户.
the solution I found is to set a hash in the cookie and try to decrypt it when authenticating, if decryption is successful then log user in.
我想知道应该使用哪种哈希方法?我是否只在程序中使用一个恒盐,然后用该盐对用户名进行哈希处理,将哈希的用户名和原始用户名存储在cookie中,并尝试在身份验证时将用户名与解密的哈希值进行匹配?
I am wondering what hashing method should I use? Do I just use a constant salt in my program and hash the userName with that salt, store the hashed userName and original userName in cookie, and try to match userName with decrypted hash upon authentication?
由于我对哈希函数不熟悉,因此任何人都可以就我应该如何在Java中进行操作提供一些建议吗?
Since I am not familiar with hashing functions, can anyone kindly provide some suggestions on how should I do it in Java?
推荐答案
我建议您使用为每个会话生成的唯一令牌密钥.例如,如果客户端从计算机登录一次,则该令牌在更改密码之前一直有效.过期Cookie并不完全安全...
I recommend you to use an unique token key generated for each session. For example, if a client once logged in from a computer, this token will be valid until the password is changed. Expiring a cookie is not completely secure...
您还可以使用会话变量进行简单的身份验证.为用户设置会话变量后,该用户每次发送带有该会话ID的请求时,都将使用该会话ID.仅此会话ID会到达您的会话变量.大多数平台还可以使用DB为您存储这些变量.
You can also use session variable for a simple authentication. Once you set a session variable for an user, every time this user sends a request with this session id; your session variable will be reached for just this session id. Most of the platforms can also use DB for storing these variables for you.
这篇关于在Cookie中哈希用户密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
