简体繁体 English

PHP安全登录-客户端选项？

[英]PHP Secure Login - Client-side options?

原文 2009-07-23 00:28:47 7 5 php/ javascript/ security/ authentication/ codeigniter

Ok now I am confused. 好吧，我很困惑。 I have been getting advice from SO users on libraries to use with codeigniter for authentication. 我一直在从SO用户那里获得关于库的建议，以与Codeigniter一起使用进行身份验证。 I have explored dx_auth and simpleloginsecure (I think I will use the latter due to its supposed secure hashing and small footprint). 我已经研究了dx_auth和simpleloginsecure（我认为我会使用后者，因为它应该是安全的散列和较小的占用空间）。

BUT, what about hashing the password on the client side? 但是，如何在客户端哈希密码呢？ I haven't seen any mention of this in the libraries' documentation. 在库的文档中我没有看到任何提及。 Regardless of how secure these libraries are, doesn't there need to be some client side encryption (js) so that passwords are never posted in plain text? 不管这些库有多安全，是否都不需要进行一些客户端加密（js），以便密码永远不会以纯文本形式发布？ Or am I missing something and these libraries somehow do cover this... 还是我错过了一些东西，这些库以某种方式涵盖了这一点...

Thanks 谢谢

Update: a couple answers below suggest SSL. 更新：以下几个答案建议使用SSL。 However, I was under the impression that these php (codeigniter plugin) libraries were in lieu of SSL (was I completely mistaken here)? 但是，我给人的印象是这些php（codeigniter插件）库代替了SSL（我在这里完全误解了）？ If I am mistaken, is there a secure way of accomplishing this without SSL? 如果我弄错了，有没有一种无需SSL即可完成此操作的安全方法？ (In the past I have used a javascript md5 hash function to encrypt the password before posting it...but I was hoping for something more secure). （过去，我曾使用javascript md5哈希函数在发布密码之前对密码进行加密...但是我希望能获得更安全的信息）。

Update 2 Okay - so it seems like the consensus is that I should be using SSL. 更新2好的-看来共识是我应该使用SSL。 If this is the case, then what is the point of all those fancy php authentication libraries that perform all sorts of hashing. 如果是这种情况，那么执行各种哈希处理的所有高级php身份验证库的意义何在？ If SSL takes care of the encryption from the client to the server, then whats the point of using these libraries (dx_auth etc.. aside from maybe adding role capabilities)? 如果SSL负责从客户端到服务器的加密，那么使用这些库（dx_auth等。除了可能添加角色功能之外）还有什么意义？ Is it simply to ensure secure storage of the data on the server/database? 仅仅是为了确保服务器/数据库上数据的安全存储？ (I would compare the level of sensitivity of the data on the project I am working on to that of stackoverflow..no credit cards or anything overly sensitive, just username, password etc.) （我将比较我正在处理的项目上的数据的敏感度级别与stackoverflow的敏感度级别。没有信用卡或任何过于敏感的东西，仅是用户名，密码等。）

5 个解决方案

To encrypt the client side data, you would need to ssl. 要加密客户端数据，您需要ssl。

Basically ssl sends the browser the encryption key at the start of each session, which post variables, etc are then encrypted with, and decrypted again at the other end by the server. 基本上，ssl在每个会话开始时向浏览器发送加密密钥，然后使用服务器对发布的变量等进行加密，然后在另一端再次解密。

JS encryption could actually make your system less secure, as it would expose your hashing algorithm. JS加密实际上会降低系统的安全性，因为它会暴露哈希算法。

UPDATE: 更新：

hashing the password doesn't protect it from being snooped between the client and the server, but rather means that if someone hacks your site, or gains access to your database in anyway, all of the passwords are not viewable in plain text. 散列密码并不能防止它在客户端和服务器之间被窥探，而是意味着，如果有人黑客入侵您的网站，或者无论如何获得对您数据库的访问权限，则所有密码都无法以纯文本格式查看。 This is especially important as many people use the same password for multiple sites. 这一点特别重要，因为许多人在多个站点使用相同的密码。

Without knowing a single dot about CodeIgniter, I think your options would be: 在不知道有关CodeIgniter的单个点的情况下，我认为您的选择是：

Have the JavaScript jump in and hash the password before it's submitted. 在提交之前，让JavaScript跳入并哈希密码。 Is this even possible? 这有可能吗？
Use an SSL connection. 使用SSL连接。

Also, you have to consider what you're transmitting. 另外，您还必须考虑要传输的内容。 Unless it's life threateningly sensitive information, ask yourself - does this really need to be hashed for transmission? 除非它是威胁生命的敏感信息，否则请问自己-是否真的需要对这些哈希值进行散列以进行传输？

And finally, if someone has a keylogger or other malware on their PC, it will render your client side hashing pointless anyways. 最后，如果某人在其PC上装有键盘记录器或其他恶意软件，则无论如何，这将使您的客户端哈希变得毫无意义。

The point of hashing sensitive information is so that if the database where that information is stored becomes compromised, then no major damage has been done - since the attacker will not have an immediately useful information. 对敏感信息进行哈希处理的目的是，如果存储该信息的数据库受到破坏，则不会造成重大损害-因为攻击者将不会立即获得有用的信息。

Hashing just the password on the client side is pointless because all requests to your site are still vulnerable to replay attacks. 仅在客户端散列密码是没有意义的，因为对站点的所有请求仍然容易受到重放攻击。 An attacker able to view the traffic would see a username and hashed password in the request - which could trivially be replayed, and the attacker would assume the identity of the user who submitted the request which was sniffed. 能够查看流量的攻击者将在请求中看到用户名和哈希密码-可以轻而易举地重播，并且攻击者将假定提交请求的用户的身份被嗅探。

Enabling SSL is your best option, because then submitting the values in plain text are encrypted automatically and cannot be sniffed. 启用SSL是您的最佳选择，因为以纯文本格式提交值会自动加密，无法被嗅探。 Also, your users can trust that the data is coming from a valid source. 此外，您的用户可以相信数据来自有效来源。

There are alternatives, however. 但是，还有其他选择。 You could also use a challenge-response authentication scheme if you don't want SSL, but this has some drawbacks as well. 如果您不想使用SSL，也可以使用质询响应身份验证方案，但这也有一些缺点。 It really depends what you are doing on the site. 这实际上取决于您在网站上的工作。

There is no advantage to encrypting on the client side. 在客户端进行加密没有任何好处。 If you aren't using SSL, then the data can be intercepted no matter what. 如果您不使用SSL，则无论如何都可以拦截数据。 So even if you hash the password with say md5, the md5 hash is still sent in plain text, then intercepted, and can then be posted back to the login page by the third party. 因此，即使您使用md5哈希密码，md5哈希仍将以纯文本形式发送，然后被拦截，然后可以由第三方发布回登录页面。 Sure they may not know the raw password, but they can still gain access. 当然他们可能不知道原始密码，但是他们仍然可以访问。 If you are concerned about security, either make a self signed certificate, or pay $10 to a RapidSSL reseller for a trusted cert. 如果您担心安全性，请制作自签名证书，或向RapidSSL经销商支付10美元以获取受信任的证书。

Let the browser and server handle all the password encryption for you. 让浏览器和服务器为您处理所有密码加密。 To do this, make sure that you are using a secure connection (the protocol will then be https , eg https://www.example.com . You will need to setup your server to accept secure connections - try google for some tips. 为此，请确保您使用的是安全连接（然后协议为https ，例如https://www.example.com 。您需要将服务器设置为接受安全连接-尝试使用google以获得一些提示。