实现用户和请求身份验证 [英] Implementing user and request authentication
问题描述
请原谅我的无知因为我几乎没有网络开发经验。
Please pardon my ignorance for I have almost no web development experience.
我实现了一个简单的机制,我将用户密码哈希(发送为post / get参数)并将其存储在数据库中。用户成功登录后,我将用户ID(数据库中的PK)返回给客户端。后续请求必须具有用作身份机制来验证请求的用户ID。
I've implemented a simple mechanism whereby I hash the user password (sent as post/get parameter) and store it in a database. After a user logs in successfully, I return the user id (PK in the database) back to client. Subsequent requests must have the user ID which is used as a primitive mechanism to validate the requests.
我已经阅读了从简单的http身份验证开始的几种机制,使用了salted哈希(我正在使用),实现对看似复杂的 OAuth
身份验证的访问令牌。啊!也许最后关于 https
。
I've read about several mechanisms starting from simple http authentication, using a salted hash (which I'm using), implementing access tokens to the seemingly complicated OAuth
authentication. Ah! and perhaps finally about https
.
暂且不谈最后两个,我仍然要理解,我似乎有一个非常基本的问题,我一直无法找到答案。
Leaving aside the last two, which I'm still to comprehend enough, I seem to have a very basic question to which I haven't been able to find an answer.
对不起,这不是一个直接的编程问题,但原因我问的是我在谷歌上找不到答案,或者说我没有使用正确的搜索关键字。
I'm sorry this is not a direct programming question, but the reason I ask is I cannot find an answer on google or rather am not using the correct search keywords.
问题是,考虑到访问令牌和api密钥等的所有机制,即使我要实现这个机制但不使用https,实现它们还有什么意义吗?我的意思是,正如任何人都可以嗅探我的明文密码或用户ID一样,他也可以窥探令牌/密钥并随后使用恶意意图,从而使整个机制无用。这是否意味着https是唯一真正安全的选择?
Question is, given all the mechanisms of access tokens and api keys etc, even if I were to implement this mechanism but do not use https, is there any point in implementing them at all? I mean just as anyone could sniff in on my clear text password or user id, he would also be able to snoop in on the token/key and use that subsequently with malicious intent thereby rendering the whole mechanism useless. Does that mean https is the only truly secure option?
我必须在这里遗漏一些东西,但指针会非常受欢迎。
I must be missing something here, but pointers would be really appreciated.
推荐答案
这是否意味着https是唯一真正安全的选择
Does that mean https is the only truly secure option
不,没有单一的安全选项,而是您实施的一系列缓解措施,以降低应用程序各个点的风险。 HTTPS有3个不同的东西:
No, there is no single "secure" option, rather a series of mitigations you implement to reduce risk at various points of your application. HTTPS does 3 distinct things:
- 它可以保证网站的身份(网站验证)。
- 它确保内容未在
过境(数据完整性)中被操纵。 - 它确保在传输过程中未发生窃听
(数据机密性。。
如果你不使用HTTPS,你谈到的所有其他安全实践很容易变得毫无价值攻击者正在观看或操纵纯文本数据包。看一下上的帖子传输层保护不足,看看这在实践中意味着什么。
If you don't use HTTPS, all the other security practices you talk of can easily be made worthless if an attacker is watching or manipulating plain text packets. Take a look at my post on Insufficient Transport Layer Protection to see what this means in practice.
这篇关于实现用户和请求身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!