我可以安全地将用户名和密码存储在 PHP 会话变量中吗? [英] Can I securely store username and password in PHP session variables?
问题描述
我想在 REST api 之上制作一个轻量级的 web 应用程序,用户应该只进行一次身份验证,从那时起,所有针对 web api 的请求都有望通过以某种方式保持用户名和密码来完成.
I want to make a light webapp on top of a REST api, where the user should authenticate only once, from then on all request against the web api would hopefully be done by keeping alive the username and password in some way.
我已经制作了一个工作原型,如果对 REST api 的第一个请求成功,我将将用户名和密码存储在会话变量中,从那时起,每个请求是使用从会话变量中获取的身份验证信息进行的.到目前为止一切顺利.
I have already made a working prototype where I store the username and password in session variables if the first request to the REST api is successfull, and from then on every request is made with auth info gotten from the session variables. So far so good.
通过这种方法,我意识到可以访问服务器的人将能够读取密码.PHP 中是否有某种方法可以让我遵循我的方法并具有适当的安全性?
With this approach, I realize someone with access to the server would be able to read the password. Is there some way in PHP that i could follow my approach with an appropriate amount of security?
更新一些更多细节:
此处的预期目标是对从 API 检索到的数据进行可视化,基于使用不同数据进行查询,而不是让用户每次尝试输入用户名和密码.所以 API 是完全无状态的,但是带有 gui 的 Web 应用程序应该是有状态的.
The intended goal here is to make a visualisation of data retrieved from an API, based on querying it with different data, but not having the user enter his username and password for each attempt. So the API is totally stateless, but the web application with gui should be statefull.
在这种情况下,我无法控制 Rest API,因此对它的每个请求将始终需要使用基本身份验证发送 API 用户名和密码,没有其他方案,例如 API 密钥、会话令牌或类似的东西.这就是为什么我必须在用户会话持续期间保留用户名和密码的原因,我想知道将它们存储在会话变量中的方法是否可以被认为是安全的.
In this case I have no control over the Rest API, so each request to it will always require sending the API username and password with basic auth, there are no alternative schemes such as a API key, session token or anything like that. This is why I have to retain the username and password for as long as a user session lasts, and I wanted to know if the approach with storing them in session variables could be considered secure.
推荐答案
只要您不在 REST API 服务器上存储会话状态,只在您的客户端 web 应用程序上,从架构的角度来看似乎都不错.
As long as you're not storing session state on the REST API server, only on your client webapp, it seems fine from an architectural point of view.
如果您确实必须使用用户名和密码并且无法获得一次性令牌,则可以使用服务器端密钥对其进行加密,并在将它们发送到 API 时即时解密,因此即使有人可以劫持一个会话,他们无法在没有服务器端密钥的情况下获取用户名和密码,但无论如何,您应该更加小心泄露您的 php 会话.
If you really must use the username and password and can't get a disposable token, you may encrypt them with a server-side key, and decrypt on-the-fly when you send them to the API, so even if someone can hijack a session they can't obtain the username and password without the server-side key, but you should be a lot more careful with leaking your php session anyway.
按照该问题的答案中列出的步骤进行操作,但您应该将 HTTPS 用于用户与 Web 应用程序之间以及 Web 应用程序与 REST API 之间的所有交互.
Follow the steps outlined in the answer for that question, except that you should use HTTPS for all interactions, between the user and the webapp, and between the webapp and the REST API.
这篇关于我可以安全地将用户名和密码存储在 PHP 会话变量中吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
