哈希或令牌"记得我"饼干? [英] Hashes or tokens for "remember me" cookies?
问题描述
当它涉及到的记得我的饼干,有2个不同的方法:
When it comes to remember me cookies, there are 2 distinct approaches:
散列结果
在记得我的饼干店的字符串,可以识别用户(即用户ID)和一个字符串,可以证明所识别的用户是一个它pretends是 - 通常是一个哈希基于用户密码。
Hashes
The remember me cookie stores a string that can identify the user (i.e. user ID) and a string that can prove that the identified user is the one it pretends to be - usually a hash based on the user password.
令牌结果
在记得我的饼干店随机(无意义的),但唯一字符串与在的标记的表中的记录,存储用户ID一致。
Tokens
The remember me cookie stores a random (meaningless), yet unique string that corresponds with with a record in a tokens table, that stores a user ID.
哪种方法更安全,什么是它的缺点是什么?
Which approach is more secure and what are its disadvantages?
推荐答案
您应该使用随机生成的令牌,如果可能的。当然,缺点是,你必须写一些额外的code存储和使用它们在服务器端,所以这则不能保证所有的Web应用程序。但是从安全角度来看,这具有明显的优势:
You should use randomly generated tokens if possible. Of course, the downside is that you have to write some extra code to store and use them on the server side, so this might not be warranted for all web applications. But from a security standpoint, this has distinct advantages:
-
这是攻击者无法生成用户ID令牌,但他绝对可以生成散列。这是一个大问题,即使你生成散列时使用的盐(你应该),你的用户如果盐曾经进入坏人之手拧。
An attacker cannot generate tokens from user IDs, but he can definitely generate hashes. This is a big problem, even if you use salt when generating hashes (and you should), your users are screwed if the salt ever gets into the wrong hands.
给予了这些标记使您的用户(或者如果需要的话您的管理员)为注销,他们可能想摆脱某些会议。这实际上是一个很酷的功能有,谷歌和Facebook用它来做例子。
Giving out these tokens enables your users (or your admin if need be) to "log out" certain sessions that they might want to get rid of. This is actually a cool feature to have, Google and Facebook use it for example.
所以,如果你有时间和预算:令牌,绝对
So, if you have time and budget: tokens, absolutely.
这篇关于哈希或令牌"记得我"饼干?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
