在php会话中存储安全用户数据的最佳方法是什么?
[英]What is the best way to store secure user data in php sessions?
问题描述
I'm coding a private message system in PHP for secure encrypted communications. 
我正在用PHP编写私人消息系统来进行安全的加密通信。
Every time a user registers an account, I'll create a new RSA private key using phpseclib and will encrypt it in AES using the user's password, which will be securely stored hashed and salted in the database. 每次用户注册帐户时,我都会使用phpseclib创建一个新的RSA私钥,并使用用户密码在AES进行加密,该密码将被安全地存储在数据库中进行散列和加盐。
Every time a user logs in with his password, he should also unlock his private key and maintain it on the fly. 每次用户使用他的密码登录时,他还应该解锁他的私钥并在运行中保持它。
This script is obviously intended to run only under SSL connections. 该脚本显然只能在SSL连接下运行。
The problem is that I need to maintain a non-encrypted version of the private key in the user's session to make sure he is able to read every message and write new messages without inserting the password on every page refresh. 问题是我需要在用户会话中维护私钥的非加密版本,以确保他能够读取每条消息并编写新消息,而无需在每次刷新页面时插入密码。
Storing in the PHP Session is not a secure solution since the PHP Sessions are still stored on the server and can be compromised. 存储在PHP会话中并不是一种安全的解决方案,因为PHP会话仍然存储在服务器上并且可能会受到危害。
Storing it in a Cookie is not a good solution since a Cookie can be easily stolen (but in this way I put the destiny of the user in his own hands). 将它存储在Cookie中并不是一个好的解决方案,因为Cookie很容易被盗(但这样我就把用户的命运掌握在自己手中)。
Is it possibile with ajax to maintain the key in a PHP variable (not Session) and never refresh the page but getting and writing messages using ajax? 是否可以使用ajax将密钥保存在PHP变量(而不是Session)中,并且永远不会刷新页面,而是使用ajax获取和写入消息? or is there a better solution? 还是有更好的解决方案?
Thanks in advance. 提前致谢。
2 个解决方案
解决方案1
1 2013-02-13 17:50:30
Assuming you have full control and can limit access/visibility to your database, you can switch over storing your session data from file storage to using database as session store. 假设您具有完全控制权并且可以限制对数据库的访问/可见性,则可以将会话数据从文件存储切换到使用数据库作为会话存储。 This assumes of course your db is secure enough for your needs. 当然,这假定您的数据库足够安全,可满足您的需求。 You can check out a detailed overview on how to setup php for storing session to your database here: http://www.stanford.edu/dept/its/communications/webservices/wiki/index.php/How_to_use_MySQL-based_sessions 您可以在此处查看有关如何设置php以存储数据库会话的详细概述: http : //www.stanford.edu/dept/its/communications/webservices/wiki/index.php/How_to_use_MySQL-based_sessions
Assuming you don't need to preserve session data across a database restart, you could also make the session store table's storage engine to be MEMORY instead of Innodb or MyISAM. 假设您不需要在重新启动数据库时保留会话数据,您还可以将会话存储表的存储引擎设置为MEMORY而不是Innodb或MyISAM。 This will make it pretty snappy and avoid the concern you might have of session data being inside the db files on disk in an unencrypted state. 这将使它非常活泼,并避免您在未加密状态下对磁盘上的db文件内的会话数据的关注。
解决方案2
0 2017-04-28 05:20:19
If you store the private key anywhere on the server, then it's only as safe as your trust in anyone who has root access to that server. 如果您将私钥存储在服务器上的任何位置,那么它对您对该服务器具有root访问权限的任何人的信任都是安全的。 For a secure messaging system, not all your users may want to trust the people who can access root. 对于安全邮件系统,并非所有用户都希望信任可以访问root用户的人。 (Do they?) That suggests you'd want to store the private key on the user's machine. (是吗?)这表明您希望将私钥存储在用户的计算机上。 As you suggested, doing that is a whole different set of security questions. 正如您所建议的,这样做是一组完全不同的安全问题。
I'm assuming your users are using web browsers to access your system, since you mentioned cookies. 我假设您的用户使用Web浏览器访问您的系统,因为您提到了cookie。 Most web browsers also support the idea of local storage (non-cookie), which might be an option to investigate; 大多数Web浏览器也支持本地存储(非cookie)的想法,这可能是一个调查选项; I'm not expert at all in that area so won't comment further. 我在该领域根本不是专家,所以不会进一步评论。
Security is hard, and complex. 安全性很难,也很复杂。 Be wary of any simple answers, and be aware that no security is perfect. 警惕任何简单的答案,并注意没有安全是完美的。 Good luck. 祝好运。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.