简体繁体 English

这个用户是否足够安全？

[英]Is this user auth secure enough?

原文 2015-06-17 13:45:51 6 2 php/ security/ authentication/ hash

I am trying to move away from using md5() for storing and comparing passwords. 我试图摆脱使用md5（）来存储和比较密码。 So I want to start using password_hash(). 所以我想开始使用password_hash（）。

Now, how I used to do it, was I would store the username and an md5 of their password in their session or cookies (if they chose "remember me"), and then check the database to see if any user existed with that username and md5'd password. 现在，我以前如何做，是我会在他们的会话或cookie中存储用户名和密码的md5（如果他们选择“记住我”），然后检查数据库以查看是否存在该用户名的任何用户和密码。 I realize this is not very secure, which is why I want to stop this. 我意识到这不是很安全，这就是为什么我要阻止它。

I can no longer do this because password_hash() always changes, so I cannot store a hash in their session and then check for it in the database, because I need to use password_verify on the unhashed password. 我不能再这样做了，因为password_hash（）总是会改变，所以我不能在他们的会话中存储哈希，然后在数据库中检查它，因为我需要在未使用的密码上使用password_verify。

So my question is, if I store a hashed "session id" and "token" in the user table when a user successfully logs in, and then store that in the persons session/cookies along with the user id in order to check the database with, is this secure enough? 所以我的问题是，如果我在用户成功登录时在用户表中存储散列的“会话ID”和“令牌”，然后将其与用户ID一起存储在人员会话/ cookie中以便检查数据库有，这足够安全吗？ When I say hashed "session id" and "token" I mean sha256'd or even md5'd hash of random large numbers... 当我说散列“会话ID”和“令牌”时，我的意思是sha256'd甚至md5'd随机大数字的散列...

Example: 例：

User logs in -> hashed "session id" and "token" is store in the users cookies/session, and their row in the database is updated with the hashed "session id" and "token". 用户登录 - >哈希“会话ID”和“令牌”存储在用户cookie /会话中，并且数据库中的行使用散列的“会话ID”和“令牌”进行更新。

User visits site -> code checks to see if their "session id" and "token" exists in the database based on their browser session/cookie vars. 用户访问站点 - >代码检查以查看他们的“会话ID”和“令牌”是否存在于数据库中，具体取决于他们的浏览器会话/ cookie变量。 If it does, it assumes that the row found represents the current user. 如果是，则假定找到的行代表当前用户。

Any insight would be greatly appreciated. 任何见解将不胜感激。

2 个解决方案

What I'd do is when the user logs in, generate a unique id for his login using uinqid() ( http://php.net/uniqid ) and then store this in a new table. 我要做的是当用户登录时，使用uinqid（）（ http://php.net/uniqid ）为他的登录生成一个唯一的id，然后将其存储在一个新表中。 Id then check this table to see if the cookie matches the uniqid stored in the table. Id然后检查此表以查看cookie是否与表中存储的uniqid匹配。

You'd have to make sure the table row is deleted when the user logs in again, but this would cause a problem if the user sets a remember me on multiple devices, so I'd set an expire date in the table for each id, and the login script would: 当用户再次登录时，您必须确保删除表格行，但如果用户在多个设备上设置记住我，则会导致问题，因此我会在表格中为每个ID设置一个过期日期，登录脚本将：

SELECT * FROM 'UNIQIDS' WHERE $current_date_and_time > 'EXPIRE' and delete all results SELECT * FROM'UNIQIDS'HERERE $ current_date_and_time>'EXPIRE'并删除所有结果
Check for the existence of a cookie. 检查是否存在cookie。 If there is one and it matches the uniqid, create a session on the computer, else show login page 如果有，并且它与uniqid匹配，则在计算机上创建会话，否则显示登录页面

Upon user login: 用户登录后：

Check if there is already a uniqid stored in the table 检查表中是否已存储uniqid
If there is one stored, if the current date and time is past its expire date, delete the row 如果存储了一个，如果当前日期和时间超过其到期日期，则删除该行
If the one has expired generate a new one with a new expiry date matching the expiry date of the cookie you are generating. 如果已过期，则生成一个新的到期日期，该新的到期日期与您生成的cookie的到期日期相匹配。 If the one hasn't expired, calculate the time between now and the time it expires and create a cookie containing its value and expiring in the time you calculated. 如果尚未过期，则计算从现在到它到期的时间之间的时间，并创建一个包含其值并在计算时间到期的cookie。

This is highly secure as it would be hard to fake this cookie, and it doesn't ever pass the users password information to the client machine. 这是非常安全的，因为很难伪造这个cookie，并且它不会将用户密码信息传递给客户端机器。

For even more security, you can md5 the uniqid you generate but theres no real need, as it contains no important information. 为了更加安全，你可以md5你生成的uniqid，但没有真正需要，因为它不包含重要信息。

This is rather complicated but if you take it one step at a time, it shouldnt be impossible. 这是相当复杂的，但如果你一步一步，它不应该是不可能的。

Good luck! 祝好运！

For best password hashes and usage and yet simple to code is below example... 为了获得最佳的密码哈希和使用，并且代码简单，下面是示例...

$salts= ['cost' => 12]; password_hash("Password", PASSWORD_BCRYPT, $options);

$salts is an array which combines miltiple times when password_hash() is used. $salts是一个数组，当使用password_hash()时，它会结合多次。

PASSWORD_BCRYPT is an algo which hashes the string with "$2y$" identifier and with blowfish encryption algo. PASSWORD_BCRYPT是一个算法，用“$ 2y $”标识符和blowfish加密算法散列字符串。 This outputs 60 char of jumbled set. 这输出60个混乱的集合。