如何在PHP中安全地存储包含敏感数据的Cookie? [英] How to store cookies containing sensitive data securely in PHP?
问题描述
我希望我的用户在登录我的网站时拥有保持登录功能。根据对此信息的热门答案的建议,保持我登录 - 最好的方法,我决定在一个cookie中哈希用户的盐和密码的组合,并将用户的ID(数字)存储在另一个cookie中。当然,哈希值也将存储在数据库服务器端,以便在用户再次返回时进行验证。我使用的salt值与用户首次注册时用于哈希用户密码的值相同,因此它是静态的 - 它在会话之间不会更改。这个方法有几个问题。
I would like for my users to have the capability of "Keep me logged in" when they log in to my website. At the suggestion of the top answer on this post, "Keep Me Logged In" - the best approach, I decided to hash a combination of the user's salt and password in one cookie and store the user's id (a number) in another cookie. Of course, the hash value will also be stored on a database server-side to be validated when the user returns again. The salt value I used is the same one that I used to hash the password of the user when they first register, so it is static - it doesn't change between sessions. There's a few of problems I see with this approach.
1)使用注册salt是一个好主意,如果它是静态的或者应该每次生成不同的盐cookie?
1) Is using the registration salt a good idea if it's static or should I generate a different salt each time for the cookie?
2)如果有人获取Cookie并将其复制到其他计算机,然后尝试从该计算机访问该网站,理论上,会自动将其登录到该用户的帐户,这是不是一个安全问题?
2) If someone were to gain access to the cookies and they copy them to a different computer, and then try accessing the website from that computer, theoretically, it will automatically log them in to that user's account, is this not a security issue?
3)在一些情况下,有恶意Intent的用户要访问数据库,一个安全的网站会有盐化和哈希的密码,使黑客很难获得访问多个帐户(如果有的话)。但是,通过简单地使用哈希值和salt值,并创建一个cookie来匹配他们在数据库上更改的值,他们可以有效地访问他们想要的任何帐户,使整个密码哈希过程无用。因此,我现在使用的cookie方法损害了我的整个数据库和所有用户的帐户。
3) In a scenario where some user with malicious intents were to gain access to the database, a secure website would have salted and hashed passwords making it rather difficult for the hacker to gain access into multiple accounts (if at all). But, by simply playing around with the hash and salt values and creating a cookie that matches the values they've changed on the database, they can effectively get access to any account they want, rendering the whole password-hashing process as useless. Therefore, this cookie approach I'm using now is compromising my entire database and all my users' accounts.
所以我的问题是,如何存储cookie在PHP与敏感信息,如用户的密码的哈希,而不必担心上述问题?当然,像Gmail和Hotmail这样的网站,提供这个保持我登录功能遵循比我现在做的更安全的方法,那么他们该怎么办呢?
So my question is, how do I store a cookie in PHP with sensitive information such as a hash of the user's password without having to worry about the aforementioned issues? Surely websites like Gmail and Hotmail, who offer this "Keep me logged in" feature follow a more secure approach than what I'm doing now, so how would they do it?
推荐答案
不要在cookie中存储密码,散列或不散列。事实上,没有理由在cookie中存储任何敏感的东西。所有您需要做的是将一个128位(或更大)的随机ID映射到数据库中的用户帐户,并将该ID存储在cookie中。有人无法通过远程暴力猜测有效的id,特别是如果你有锁定的地方。
Don't store the password in the cookie, hashed or not. In fact, there's no reason to store anything sensitive in the cookie. All you need to do is map a 128-bit (or larger) random id to a user account in your database, and store that id in the cookie. There is no way somebody is going to guess a valid id by remote brute force, especially if you have lock-outs in place.
如果有人访问cookies,并将其复制到不同的计算机,然后尝试从该计算机访问网站,理论上,它会自动将其登录到该用户的帐户,这不是一个安全问题?
If someone were to gain access to the cookies and they copy them to a different computer, and then try accessing the website from that computer, theoretically, it will automatically log them in to that user's account, is this not a security issue?
是的。这是功能的缺点。但是,如果您的网站检测到新的IP地址(特别是来自不同的国家/地区)并需要第二步(将代码发送到移动设备等),那么您会处理此问题以及密码被盗的常见问题。 (这当然不能防止本地网络攻击,例如不安全的公共无线网络。)
Yes. That's the downside to the feature. However, if your website detects new IP address (particularly from different countries) and requires a second step (text a code to a mobile device, etc), then you take care of this problem along with the general problem of a stolen password. (This of course doesn't help prevent local network attacks, like an insecure public wifi.)
一个更方便的解决方案是要求记住我 SSL。这样,黑客将不会看到cookie在纯文本传输,并且可能需要本地攻击。 (如果是这样,记住我的cookie可能是用户关注的最少。)
A more convenient solution is to require the "remember me" cookie to use SSL. That way a hacker would not ever see the cookie in plain text transmission, and a local attack would probably be required. (And if such, the remember me cookie is probably the least of the user's concerns.)
他们可以有效地访问任何帐户
they can effectively get access to any account they want, rendering the whole password-hashing process as useless.
是的,没有。如果你使用我描述的技术(随机ID),那么他们只能访问具有记住我cookie的帐户。但是,说,如果他们有权访问您的数据库,他们可以暴力强制任何帐户他们想要的。如果密码本身很弱,甚至盐渍的密码也很容易破解。
Yes, and no. If you use the technique I described (random id) then they can only access accounts that have a "remember me" cookie. But that said, if they have access to your database, they can brute force any account they want. Even salted passwords are easy to crack locally if the password itself is weak.
此外,你可以考虑记住我的登录是半登录。访问购买东西,更改电子邮件地址等,仍然需要输入密码。在没有密码的情况下,可以在邮件板上发布无害的事情。
Also, you can consider the "remember me" login to be a half-login. Access to purchase something, change an email address, etc, would still require a password to be entered. Doing harmless things like posting on a message board could be done without the password.
最后,请注意,PHP会话cookie只是一个临时的记住我令牌!这些都适用于会话劫持的概念。 记住我令牌只是增加了一个更大的机会窗口。
Finally, note that a PHP session cookie is nothing more than a temporary "remember me" token! So much of this applies to the concept of session hijacking. The "remember me" token simply adds a bigger window of opportunity.
简而言之:不要在cookie中存储任何敏感信息,如果可能,实施多因素身份验证...特别是对于管理员帐户。
So in short: don't store anything sensitive in the cookie, require SSL for the cookie, and if possible, implement multi-factor authentication ... especially for admin accounts.
这篇关于如何在PHP中安全地存储包含敏感数据的Cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
