将相同的数据库用于客户端哈希,盐和设置是否会暴露客户端哈希?
[英]Will using the same database for client hashes, salts, and settings expose client hashes?
问题描述
If I have an XML database on my web server; 
如果我的Web服务器上有一个XML数据库;
<Database>
<Client sid="0123456789abcdefg" name="John Doe" email="johndoe@mail.com" hash="9876543210abcdefg" salt="abcdefg9876543210">
<Setting>A Setting</Setting>
<Setting>Another Setting</Setting>
</Client>
...
</Database>
And I log in with the hash and salt, retrieve the SID, and redirect to the home page via PHP; 然后,我用哈希和盐登录,检索SID,然后通过PHP重定向到主页;
header("Location: home.html?sid=" . $sid);
And then use the SID in the location bar via JavaScript to retrieve the user settings from the same database , will I expose my clients' hash? 然后通过JavaScript在位置栏中使用SID从同一数据库中检索用户设置,我是否会公开客户的哈希?
Is there a better way, or a more standard way, to set and get user settings on the web? 是否有更好的方法或更标准的方法来设置和获取网络上的用户设置?
PS: Unless you have a really good reason, I really, really, really, don't want to use SQL. PS:除非您有很好的理由,否则我确实非常不想使用SQL。 I prefer to be able to read my databases, and I like the tangibility and versatility of XML. 我更喜欢能够读取我的数据库,并且我喜欢XML的真实性和多功能性。
Edit: After a little more research, I learned that PHP supports a system for storing SESSION[] variables. 编辑:经过更多研究,我了解到PHP支持存储SESSION []变量的系统。 This is perfect for me because I am, in fact, using sessions! 这对我来说是完美的,因为实际上我正在使用会话!
The W3C says: W3C说:
"A PHP session variable is used to store information about, or change settings for a user session. Session variables hold information about one single user, and are available to all pages in one application." “ PHP会话变量用于存储有关用户会话的信息或更改用户会话的设置。会话变量保存有关一个用户的信息,并且可用于一个应用程序中的所有页面。”
Much better than exposing various data in the address bar. 比在地址栏中显示各种数据要好得多。 =) =)
1 个解决方案
解决方案1
1 已采纳 2014-01-09 22:40:25
As long as your DB file is inaccessable from HTTP (ie locked by a .htaccess or equivalent) and other protocols (ie not sitting in a directory accesable by anonymous FTP), the only risk is to (inadvertently) let the hash&salt be collected among a bunch of other user-related data and sent to your clients. 只要您的数据库文件无法通过HTTP(即被.htaccess或等效文件锁定)和其他协议(即,不位于匿名FTP可以访问的目录中)访问,唯一的风险就是(无意间)让哈希和盐分被收集一堆其他与用户相关的数据并发送给您的客户。
If you have requests equivalent to the SQL * selector, that might be somewhat of a problem. 如果您有与SQL *选择器等效的请求,则可能会有问题。 You might want to put the critical data into a different DB file and encapsulate the accesses in an interface dedicated to user registration and login, just to make sure no other piece of code will be able to grab them (even by mistake) from your main DB. 您可能希望将关键数据放入另一个数据库文件中,并将访问封装在专用于用户注册和登录的界面中,以确保没有其他代码能够(甚至是错误地)从您的主代码中获取它们。 D B。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.