在Cookie中存储(哈希)密码是否安全? [英] Is it safe to store (hashed) passwords in a cookie?
问题描述
我已阅读了一些有关SO的文章和问题(例如此处),表示您不应在Cookie中存储用户的密码。如果密码被盐化和哈希,为什么这种不安全?
I've read some articles and questions on SO (e.g. here) that say you shouldn't store a user's password in a cookie. If the password is salted and hashed, why is this insecure?
特别是,为什么它比使用会话安全性低,通常建议的替代方法?如果用户想要保持登录,那么这个新的cookie(带有会话ID /散列)肯定与用户密码一样安全?如果Cookie在某些方面被盗,攻击者可以以同样的方式以用户身份登录。
In particular, why is it less secure than using sessions, the alternative usually suggested? If the user wants to stay logged in then surely this new cookie (with a session ID/hash) is exactly as secure as the one with the user's password? If the cookie is "stolen" on some way the attacker can log in as the user in the same way.
EDIT :主要症结的问题是关于用户保持登录的部分,即通过记住我?复选框。在这种情况下,一定只有一个会话?
EDIT: The main crux of the question is the part about the user staying logged in, i.e. via a "Remember Me?" checkbox. In this case, surely there is only ever one session?
推荐答案
会话通常是关键的IP地址在某种程度上阻止会话盗窃。
Sessions are usually keyed to IP addresses at some level somewhat preventing session theft.
除此之外,会话ID不包含任何个人信息;你的密码,甚至是盐和哈希。密码,盐化和散列,因为他们可以,可以重复使用;会话ID不能。一旦会话结束,就结束了,您需要一个新的会话ID才能再次模拟用户。
Beyond that, the session ID doesn't contain any personal information; your password, even salted and hashed does. Passwords, salted and hashed as they may be, can be reused; session ID's can't. Once the session is over, it's over, you need a new session ID to be able to impersonate the user again.
这篇关于在Cookie中存储(哈希)密码是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
