当使用持久登录Cookie时，如何检查Cookie令牌与DB中的bcrypt哈希令牌？ [英] How to check Cookie Token against bcrypt-hashed Token in DB when using Persistent Login Cookies?

问题描述

在持久性登录Cookie的常见解决方案中，其中涉及生成随机的128位令牌以保存用户的Cookie，Jens Roland建议：

In this popular solution for Persistent Login Cookies which involves generating a random 128-bit "token" to be saved in the user's Cookie, Jens Roland recommends:

并且不要在您的数据库中存储永久登录COOKIE $ b只有一个哈希！登录令牌是密码等效的，所以如果
攻击者得到他的手在你的数据库，他/她可以使用令牌
登录任何帐户，就像他们是cleartext
登录 - 密码组合。因此，在存储持久登录标记时使用强大的salted散列
（bcrypt / phpass）。

And DO NOT STORE THE PERSISTENT LOGIN COOKIE (TOKEN) IN YOUR DATABASE, ONLY A HASH OF IT! The login token is Password Equivalent, so if an attacker got his hands on your database, he/she could use the tokens to log in to any account, just as if they were cleartext login-password combinations. Therefore, use strong salted hashing (bcrypt / phpass) when storing persistent login tokens.

Cookie令牌对数据库中的bcrypted令牌来确认Cookie登录是有效的，当bcrypting Cookie令牌将总是产生不同的结果（因为bcrypting总是使用随机盐）？

But how do you check the Cookie Token against the bcrypted Token in the DB to confirm the Cookie login is valid, when bcrypting the Cookie Token will always yield a different result (since bcrypting always uses a random salt)?

换句话说，你不能只是bcrypt的Cookie令牌，并在数据库中寻找一个匹配，因为你永远不会找到一个，那么你如何实际匹配它的哈希版本在数据库中的建议的解决方案（服务器保留一个number-> username关联的表，这是查找以验证Cookie的有效性。）

In other words, you can't just bcrypt the Cookie Token and look for a match in the DB since you will never find one, so how do you actually match it against the hashed version in the DB as per the recommended solution ("The server keeps a table of number->username associations, which is looked up to verify the validity of the cookie.")?

编辑：

请注意，根据上述建议的解决方案，单个用户可以为个不同的设备多个 Cookie /令牌。我提到，因为一个答案提交了（以前被删除），假设每个用户只有一个令牌。

Keep in mind that as per the recommended solution linked to above, a single user can have multiple Cookies/Tokens for different devices. I mention that because an answer was submitted (that has since been deleted) that assumed it was only one Token per user.

推荐答案

如上面的答案所述，bcrypt将随机盐作为散列的一部分存储，因此数据库中的每个令牌条目都将包括 random_salt 和 hashed_token

As mentioned in the previous answer, bcrypt stores the random salt as part of the hash, so each token entry in your database will include both random_salt and hashed_token.

在验证记住我登录cookie（应包含 userid 和令牌），您将需要遍历该用户标识的每个令牌条目（通常只有一个条目，不超过少数），并分别使用存储的随机盐：

When authenticating a 'remember me' login cookie (which should consist of userid and token), you will need to iterate over each of the token entries for that userid (usually just one entry, never more than a handful) and check each one separately using the stored random salt:

foreach (entry in stored_tokens_for_user) {
    if (entry.hashed_token == bcrypt(cookie.token, entry.random_salt))
        return true;
}
return false;

（如果您的数据库内置支持bcrypt作为查询语法的一部分，为你做这个准备的声明）

(if your database has built-in support for bcrypt as part of the query syntax, you can create a prepared statement to do this for you)

这篇关于当使用持久登录Cookie时，如何检查Cookie令牌与DB中的bcrypt哈希令牌？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！