金字塔AuthTktAuthenticationPolicy秘密参数 [英] pyramid AuthTktAuthenticationPolicy secret parameter

问题描述

到底什么是金字塔的 pyramid.authentication.AuthTktAuthenticationPolicy 函数的'秘密'参数？在<一个href=\"http://pyramid.readthedocs.org/en/latest/api/authentication.html#pyramid.authentication.AuthTktAuthenticationPolicy\"相对=nofollow>文档说，这是（字符串）用于auth_tkt cookie的签名。必需。在<一个href=\"http://pyramid.readthedocs.org/en/latest/tutorials/wiki/authorization.html#add-authentication-and-authorization-policies\"相对=nofollow>教程说，这是为重$ P $字符串psenting通过这一政策psented的身份验证票证机械再$ P $使用的加密密钥。

What exactly is the 'secret' parameter of Pyramid's pyramid.authentication.AuthTktAuthenticationPolicy function? The documentation says that it's "(a string) used for auth_tkt cookie signing. Required." The tutorial says that it's "is a string representing an encryption key used by the 'authentication ticket' machinery represented by this policy".

什么是auth_tkt饼干签约？这是什么身份验证票证机械？难道这个秘密应该是我的东西作为存储在数据库中或东西的哈希？我真的糊涂了。

What is auth_tkt cookie signing? What is this 'authentication ticket' machinery? Is this secret supposed to be something I store as a hash in a database or something? I'm really confused.

推荐答案

一个TKT AUTH的cookie是几条信息，包括用户名和可选的时间戳，而不是用户的密码安全散列。一旦通过验证，你给这样一个cookie的用户，每个用户返回只需再次提取的用户名和时间知道这是同一个用户。

A tkt auth cookie is a secure hash of several pieces of information, including the username and optionally a timestamp, but not the user password. Once authenticated, you give such a cookie to the user, and every time the user returns you just extract the username again and know it's the same user.

要的继续的这个cookie的安全，你需要有一个服务器端的秘密，但是。拥有这个秘密可以创建这些cookie中只有一台服务器;如果攻击者曾经得到它，他可以产生任意用户身份验证cookie保持甚至无需知道这些用户的密码。

To keep this cookie secure, you need to have a server-side secret, however. Only a server in possession of that secret can create these cookies; if an attacker ever got hold of it he could generate authentication cookies for arbitrary users without ever needing to know the passwords of these users.

秘密参数是服务器端的秘密;它就像一个主密码为您的服务器。如果你的站点上运行多个进程（和WSGI，你通常会做），你需要使它在整个过程中保持一致，以确保每个过程可以验证的cookie。您可以在配置文件中指定，在源$ C ​​$ C，或在你的数据库;这取决于你有多少灵活性的需要，你的安全策略，您以及是否需要与其他系统共享的秘密。

The secret parameter for the policy is that server-side secret; it's like a master password for your server. If you run more than one process for your site (and with WSGI, you usually do), you need to make it consistent across your processes, to make sure each process can verify the cookies. You can specify it in your configuration file, in your source code, or in your database; it depends on how much flexibility you need, your security policies, and whether or not you need to share the secret with other systems.

您可以与域中的其他系统也需要用户进行身份验证，使用相同的标准的秘密。阿帕奇例如具有 mod_auth_tkt 模块，Plone中采用相同的标准，并通过共享可以提供单点登录的用户在完全不同的Web应用程序的秘密。

You can share the secret with other systems in your domain that also need to authenticate your users, using the same standard. Apache has a mod_auth_tkt module for example, Plone uses the same standard, and by sharing the secret you can provide a single sign-on for your users across disparate web applications.

请注意，改变秘密手段现有会话变为无效，并且用户将不得不重新验证。

Note that changing the secret means existing sessions become invalid, and users would have to re-authenticate.

在任何情况下，现有的cookie可以有一个有限的寿命;嵌入式时间戳限制多长时间，如果你配置超时上的策略参数将被接受为有效。这是很好的策略来设置超时，用补发时间相结合;这再次访问的超时时间内您的申请将被重新发出一个新的Cookie有新的时间戳的任何用户，以保持他们的会话新鲜。如果用户不回这样，你的会话cookie自动失效，他们的cookie不会被攻击者在以后重用。在换发参数可以让你控制一个新的令牌是如何迅速下达; 换发秒内重新访问您的服务器不会产生一个新的令牌。

In any case, existing cookies can have a limited life-span; the embedded timestamp limits how long it will be accepted as valid, if you configure the timeout parameter on the policy. It's good policy to set a timeout, combined with a reissue time; any user that re-visits your application within the timeout will be re-issued a new cookie with a new timestamp to keep their session fresh. That way your session cookies automatically expire if your users do not return, and their cookie cannot be reused by an attacker at a later time. The reissue parameter lets you control how quickly a new token is issued; revisit your server within reissue seconds would not produce a new token.

这篇关于金字塔AuthTktAuthenticationPolicy秘密参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！