在codeigniter安全认证 [英] Safe authentication in codeigniter
问题描述
我想在滚动codeigniter我自己的认证系统,并且已经迷迷糊糊到了几个路障。
I'm trying to roll my own authentication system in codeigniter, and have stumbled onto a couple of roadblocks.
如果我有会话设置为使用一个数据库,为用户数据
存储在数据库中单独或饼干呢?我想存储散列密码,它验证每个页面加载,用户实际上是用正确的通行证登录,我不想哈希可访问客户方的。
If I have the sessions set to use a database, is userdata
stored in the database alone or in the cookie as well? I'd like to store the hashed password in it to verify each page load that a user is actually logged in with the correct pass, and I do not want the hash to be accessible clientside at all.
如何从我prevent会被盗?我已经启用IP和主机名验证,是自动的东西还是必须要进行检查自己?这是否足以窃取会话数据停止的人?
How can I prevent sessions from being stolen? I've enabled IP and hostname verification, is that stuff automatic or do I have to perform the checks myself? Will that be enough to stop people from stealing session data?
推荐答案
使用用户数据
可以存储在会话。如果你有会话设置为使用一个数据库,唯一的cookie会在你指定ci_session饼干或什么的,以及Cookie + IP /主机名进行匹配的数据库会话表。
Userdata
can be stored in the Session. If you have sessions setup to use a database, the only cookie will be a ci_session cookie or whatever you specify, and the cookie + ip/hostname will be matched to the database sessions table.
存储在会话中的散列密码,将完全安全的,它在自己的数据库。没有问题。
Storing the hashed password in-session will be completely safe, its in your own database. No problems.
preventing会被窃取应该使用 IP
或主机名
匹配(或每页面加载或常少一点,有些人有动态IP),不知道自动验证,但如果你自己检查它总是很高兴。
Preventing sessions to be stolen should use a ip
or hostname
match (either every page load or a little less often, some people have dynamic IPs), not sure about automatic verification, but it's always nice if you check by yourself.
preventing会话数据偷窃是pretty很像。除非有人截取你的cookie,并奇迹般地报告虚假的IP(或,好了,共享与目标的IP /主机名),这是不够的。你也可以做其他检查,符合 USER_AGENT
。那你就必须手动进行。
Preventing session data stealing is pretty much like that. Unless someone intercepts your cookie, and magically reports a false IP (or, well, shares an IP/hostname with the target), it's enough. You could also do another check, match the user_agent
. That you'll have to do manually.
这是pretty太多的一切。
That's pretty much everything.
这篇关于在codeigniter安全认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!