在 php 中进行用户身份验证的最佳方法是什么? [英] Whats the best way to do user authentication in php?
问题描述
我只是简单地写了 2 个 cookie,1 个包含用户 ID,第二个包含密码的 SH1 哈希值的 1/2(加盐).它的工作方式是不言而喻的.
I have been simply writing 2 cookies, 1 containing the user ID, and the 2nd containing 1/2 the SH1 hash of the password (salted). The way it works is self-evident.
我意识到我并没有以最安全的方式执行此操作.有什么更好的方法可以做到这一点?最好使用单个身份验证 cookie.
I realized that I wasnt doing this in the most secure way. Whats a better way of doing this? Preferably using a single authentication cookie.
另外,使用难以计算的哈希值"有什么意义吗?我的意思是,使用 bcrypt,或使用 whirlpool 对每个项目进行 10,000 次散列,使其成为(相对)较慢的散列函数(200 毫秒 vs 不到 1 毫秒,只是简单的 SHA1)?我的意思是,如果有人破坏了您的数据库并获得了哈希值……还有什么需要保护的,因为您的所有数据都在同一个数据库中(除非您有某种分散的设置,我没有).
Also, is there a point to using "hard to calculate hashes"? By that I mean, using bcrypt, or hashing each item 10,000 times with whirlpool, to make it a (relatively) slow hash function (200 ms vs less than 1 ms just plain SHA1)? I mean if someone breaches your DB and gets the hashes.... what is there left to protect, since all your data is in the same DB (Unless you have some sort of a de-centralized setup, which I dont).
推荐答案
use Sessions.在cookie中存储session id,在服务器端存储用户的状态(loggedIn、userId、IP).
use Sessions. Store the session id in the cookie, and store the state of the user on the server side (loggedIn, userId, IP).
澄清您需要在会话数组中存储的内容:
To clarify what you need to store in the session array:
- loggedIn: 一个关于用户是否登录的布尔变量.您在多个会话中重复使用相同的 cookie,因此您可以记住用户下次访问您的网站时的用户名等.
- userId: 数据库中用户的唯一 ID.使用它来获取有关用户的更多信息,如用户名、电子邮件等.这也可以在用户注销后保存在会话数组中.
- IP:为了防止有人窃取并使用会话 ID,您还需要存储用户的 IP.这是可选的,因为有时您希望允许用户漫游(例如,stackoverflow 允许我随身携带笔记本电脑而无需在 IP 更改时注销).
- lastPing:上次看到用户的时间戳.这可以用来代替 cookie 到期日期.如果您还存储会话的生命周期,那么您可以因不活动而注销用户.这意味着会话 ID cookie 可以在用户计算机上存储很长时间.
- loggedIn: A boolean variable about whether the user is logged in or not. You reuse the same cookie for multiple sessions, so you remember the users username next time they come to your site, etc.
- userId: The uniqe id of the user in the database. Use this to get more information on the user, like username, email etc. This too can be kept in the session array after the user logs out.
- IP: To prevent someone from stealing the session id and using it, you store the IP of the user as well. This is optional, as sometimes you want to allow the user to roam (eg, stackoverflow allows me to move about with my laptop without logging me out when the IP changes).
- lastPing: The timestamp the user was last seen. This can be used instead of the cookie expiration date. If you also store the lifetime of the session, then you can log the user out due to inactivity. This means that the session id cookie can be stored on the users computer for a very long time.
当用户注销或因不活动而注销时,您只需将 loggedIn 设置为 false.当用户使用正确的用户名和密码登录时,您将 loggedIn 设置为 true 并更新其他字段(userId、IP、lifetime).当用户加载页面时,您根据当前时间和 lifetime 检查 lastPing,然后更新 lastPing 或注销用户.
When the user logs out or is logged out due to inactivity, you simply set loggedIn to false. When the user logs in with the right username and password you set loggedIn to true and update the other fields (userId, IP, lifetime). When the user loads a page, you check the lastPing against the current time and the lifetime, and either update lastPing or logout the user.
会话数据可以存储在文件系统或数据库中.如果存储在数据库中,那么 userId 要么是用户记录的外键,要么所有数据都可以放入用户记录中.
The session data can either be stored in the filesystem or in a database. If stored in a database, then userId is either a foreign key to the user record, or all the data can be put in the user record.
多次重新哈希值不是一个好主意,因为您降低安全性.而是使用盐,结合静态盐(例如页面名称)和用户的用户名,以及密码.需要很长时间的散列并不比快速散列好,导致大摘要的散列比导致短摘要的散列更好(由于蛮力).对于普通站点(IE,而不是银行或秘密军事组织),使用 SHA1 应该足够好.
rehashing a value several times is not a good idea, because you reduce the security. Instead use salt, combining a static salt (name of the page for example) and the username of the user, together with the password. A hash that takes a long time isn't better than a fast hash, a hash that results in a large digest is better than a hash that results in a short digest (due to brute force). Using SHA1 should be good enough for a normal site (IE, not a bank or a secret military organization).
这篇关于在 php 中进行用户身份验证的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
