堆栈内存溢出
  简体   繁体   English

安全地存储用户凭证令牌

[英]Securely storing user credential tokens

 原文  2013-05-22 04:40:04       php/ security/ oauth

问题描述

I'm writing a service where users use OAuth to log into another service. 我正在编写一项服务,用户使用OAuth登录其他服务。 The point of my service is to do some maintenance things for the user when they're not logged in. So, I need to keep their OAuth token stored so it can be used while the user is not logged in. If the user was logged in, I could use the user's password as an encryption key (asked for each time; the user's password is only stored as a hash) and store the token encrypted. 我的服务点是在用户未登录时为用户做一些维护。因此,我需要保存他们的OAuth令牌,以便在用户未登录时使用它。如果用户已登录在,我可以使用用户的密码作为加密密钥(每次询问;用户的密码仅存储为哈希)并存储加密的令牌。

But as it is, I need the web service to be able to use those tokens when the user's not logged in. So, I'm considering storing them encrypted in the database (AES), but then the key to decrypt them will either need to be hard-coded into the application, or derived from something else (combination of user's name/email/hashed password), though the logic of that derivation would still be in the source. 但实际上,我需要Web服务才能在用户未登录时使用这些令牌。因此,我正在考虑将它们加密存储在数据库(AES)中,但是解密它们的密钥要么需要要硬编码到应用程序中,或者从其他东西(用户名/电子邮件/散列密码的组合)派生,尽管该派生的逻辑仍然在源中。

Given that this will be written in PHP, which cant be compiled to obscure a secret key, what are my best options for making this as secure as possible? 鉴于这将用PHP编写,不能编译为隐藏密钥,我最好的选择是什么使其尽可能安全? My source code has always had database credentials in it, which means someone could mess up that database if they could get at the source coe, but having OAuth tokens on hand means an intruder could mess up the user's data on OTHER sites as well, if mine is compromised, and I'd like to give my users as much assurance as possible that won't happen. 我的源代码一直都有数据库凭据,这意味着有人可能会弄乱该数据库,如果他们可以获得源系数,但手头有OAuth令牌意味着入侵者也可能弄乱用户在其他网站上的数据,如果我的应用程序受到了损害,我希望尽可能地为我的用户提供不会发生的保证。

1 个解决方案

解决方案1
 1  2013-05-22 04:43:46

Part of the reason for using OAuth tokens in the first place is that they can be revoked. 首先使用OAuth令牌的部分原因是它们可以被撤销。 Protect the tokens like you would any other user-specific data, and that's plenty. 像任何其他用户特定的数据一样保护令牌,这很充足。 If you have reason to believe that your user data is compromised at any specific point in the future, inform your users and ask them to revoke the token. 如果您有理由相信您的用户数据在将来的任何特定时刻遭到入侵,请通知您的用户并要求他们撤销令牌。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用PHP / MySQL安全地存储和提供用户文件 - Storing and serving user files securely with PHP/MySQL 在Zend Framework 1.11中安全地存储用户文件 - Storing user files securely in Zend Framework 1.11 在PHP Web应用程序中安全地存储用户凭据 - Securely storing user credentials in DB, for PHP web application 安全地存储脚本 - Storing Scripts Securely 安全地存储私人图像 - Securely storing private images 安全地存储数据 - Securely storing data 使用Codeigniter安全地存储会话数据? - Storing Session Data Securely With Codeigniter? 将pdf文件安全地存储在服务器上 - storing pdf files on server securely 将值安全地存储在mySQL数据库中 - Storing values securely in mySQL Database 将敏感数据安全地存储在数据库中 - Storing sensitive data securely in a database
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM