寻找为多个网站建立集中式身份验证的最佳方法
[英]Looking for the best way to build centralized authentication for multiple websites
问题描述
Long story short, i have a couple of clients who wanted to manage some stuff on their website, all websites are build with nodejs . 
长话短说,我有几个客户想要管理其网站上的某些内容,所有网站都是使用nodejs构建的。
I'v built a small CMS for those websites. 我为那些网站构建了一个小型CMS。
Keep in mind that none of my websites https, here is what i want to happen: 请记住,我的网站都没有https,这是我想发生的事情:
- a client goes to my website and submits a form with his password and username 客户访问我的网站并提交包含其密码和用户名的表格
- i http POST his credentials to his website 我HTTP POST他的证件给他的网站
- his website returns a json with OK 200 if the credentials are ok 如果凭据正常, 他的网站将返回OK 200的json
questions: 问题:
- Is this the best way to do it ? 这是最好的方法吗?
- what encryption method should i use? 我应该使用哪种加密方式?
1 个解决方案
解决方案1
0 已采纳 2013-03-25 10:54:45
No this is not the best way to do it. 不,这不是最好的方法。 You should never authenticate through http, and you should definitely not do you own encryption between the server and the clients. 您永远不要通过http进行身份验证,并且绝对不应该在服务器和客户端之间拥有加密功能。 Please consider using SSL. 请考虑使用SSL。 You can get a wildcard SSL certificate which supports subdomains and thus multiple websites, like: x.example.com y.example.com z.example.com 您可以获得通配符SSL证书,该证书支持子域,从而支持多个网站,例如:x.example.com y.example.com z.example.com
This is a recurring question, and the answer will always be to use established technologies and algorithms, instead of reinventing the wheel and possibly introducing security holes of your own. 这是一个反复出现的问题,答案将始终是使用已建立的技术和算法,而不是重新发明轮子并可能引入您自己的安全漏洞。
Please see this article on javascript cryptography and why not to do it. 请参阅有关javascript密码学的文章以及为什么不这样做。
But when you have the website wrapped in SSL you can use the approach you explained and it will then be secure. 但是,如果您使用SSL封装了网站,则可以使用您说明的方法,这样便很安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.