是否建议在cookie中存储哈希密码? [英] Is it advisable to store a hashed password in a cookie?
问题描述
我希望用户能够在我的网站上选择一个记住我框,这样他们就不必每次都登录。所以,我需要在cookie中存储一个唯一的ID来标识它们。是否可以安全地使用sha512哈希他们的密码和PHP中的长盐,并将该值存储在cookie中?
如果cookie被盗,他们的密码是否有风险?
显然它必须以某种方式连接到他们的密码,否则如果cookie值被猜出或被盗,用户将无法阻止别人登录。
I want user's to be able to select a "remember me" box on my website so they need not log in each time they come. So, I need to store a unique ID in a cookie to identify them. Is it safe to hash their password with sha512 and a long salt in PHP and store that value in the cookie? If the cookie was stolen, would their password be at risk? Obviously it must be connected to their password somehow, otherwise if the cookie value was guessed or stolen, the user would not be able to stop someone else logging in.
另外,是否建议使用GUID作为唯一标识符?
Also, is it advisable to use a GUID at all as the unique identifier?
谢谢,
Ben
Thanks, Ben
推荐答案
记住,密码的哈希实际上与他们的密码相同。窃取哈希值的人对用户的帐户具有相同的访问权限,就像他们窃取了密码一样。因此,除非使用用于验证的cookie存储了一些其他信息(不是),否则不应将用户密码的哈希存储在Cookie中。因子认证)。
Remember, the hash of the password is effectively the same as their password. Somebody who stole the hash would have the same access to the user's account as if they had stolen their password. Therefore it is not advisable to store a hash of the user's password in a cookie unless there was some other information not stored with the cookie that is used to authenticate (i.e. 2-factor authentication).
这篇关于是否建议在cookie中存储哈希密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
