将加密的ID和密码存储在Cookie中-与GDPR兼容吗?
[英]Store encrypted id and password in cookie - works with GDPR?
问题描述
I've multiple applications running in sub-domains, under a parent-domain that I have no control of. 
我有多个应用程序在我无法控制的父域下的子域中运行。 They all require a login, which works by sending to an API request that I also have no control of. 它们都需要登录,可以通过发送到我也无法控制的API请求来工作。
The downside of this is that they all require login if you jump from one to another. 缺点是,如果您从一个跳到另一个,它们都需要登录。 A solution for a "single sign on" is to make a portal site that require a login once, where you then can access all these applications from there. 一种“单点登录”的解决方案是将门户网站设为一次需要登录的网站,然后您可以在该网站上访问所有这些应用程序。 Still, you can't jump from one to another without login, but at least you can do so by the portal-site. 尽管如此,没有登录就无法从一个跳到另一个,但是至少您可以在门户站点上这样做。
The idea: 这个想法:
1) Encrypt your id and password upon login that will be stored in cookie in the portal-site. 1)登录时对您的ID和密码进行加密,并将其存储在门户网站的cookie中。
2) Once visiting other page, the encrypted id + password will be sent over to the url, and then in the visited application, send the encrypted value to the backend (via my own created API) to be decrypted.. 2)访问其他页面后,加密的ID +密码将发送到url,然后在访问的应用程序中,将加密的值发送到后端(通过我自己创建的API)以进行解密。
3) Once decrypted in the backend, an API request will be called for login (instead doing it on front-end as they currently does). 3)一旦在后端解密,就会调用一个API请求进行登录(而不是像现在那样在前端进行登录)。
In other word, I will create a backend server, making a new API request to recieve the encrypted value, decrypt, and then use the actuall API request for login (that I have no control of). 换句话说,我将创建一个后端服务器,发出一个新的API请求以接收加密值,解密,然后使用实际的API请求进行登录(我无法控制)。
Does this work, or is this againt GDPR? 这有效吗,还是GDPR呢? Is this far fetched, is there a better method? 这牵强附会,有更好的方法吗?
( I'm not very experienced with this area ) (我在这方面不是很经验)
1 个解决方案
解决方案1
0 已采纳 2019-08-28 12:42:55
Well first, this is not the main issue GDPR would actually look into (if ever they do). 首先,这不是GDPR实际上要研究的主要问题(如果有的话)。 It mostly deals with how you handle the user's data, what you do with it, and how much power the user has over its data. 它主要涉及如何处理用户数据,如何处理数据以及用户对数据有多大的权能。 Of course, this s not exhaustive and a lot of things must be taken into account. 当然,这还不是很详尽,必须考虑很多因素。
However, as for your question: 但是,关于您的问题:
First, NEVER store a password in cookies. 首先, 切勿在Cookie中存储密码。 I mean, never store a password. 我的意思是,永远不要存储密码。 Never! 决不! Even encrypted. 甚至加密。 But you can use them so that a token for authentication is generated. 但是您可以使用它们,以便生成用于身份验证的令牌。 More information about that here 有关此的更多信息
Secondly, use HTTPS . 其次,使用HTTPS 。 Why? 为什么? Well you should send your credential through a TLS 好吧,您应该通过TLS发送凭据
Finally, encrypting the password on the client-side is pointless for some because of TLS, but I find it eventually more secure as long as it can't be easily reversed (see client-side encryption). 最后,由于TLS,在某些方面对客户端进行加密是没有意义的,但我发现,只要不容易将其反转,它最终将更加安全(请参阅客户端加密)。 Another question that would answer partially yours. 另一个问题,这将部分地回答你的。 However, it is pointless to decrypt a password on the server-side. 但是,在服务器端解密密码毫无意义。 It would even decrease the security of your process. 甚至会降低过程的安全性。 In fact, you should encrypt it on the server-side with a strong one-way hash function, that will be stored in your database, and use as a comparison element when the user tries to log again. 实际上,您应该在服务器端使用强大的单向散列函数对其进行加密,该函数将存储在数据库中,并在用户尝试再次登录时用作比较元素。 Every time he wants to log-in, the password sent to the server will be hashed, and this hash will be compared to the one stored. 每次他要登录时,发送到服务器的密码都将被散列,并将该散列与存储的密码进行比较。 If they match, the authentication is granted. 如果它们匹配,则授予身份验证。 If not, the user is refused access. 如果不是,则拒绝用户访问。 Therefore, the actual password is never stored . 因此, 实际的密码从不存储 。
You can also look into OWASP which is a great resource for Web Application Security. 您也可以查看OWASP ,它是Web应用程序安全的重要资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.