如何在数据库和Cookies中存储密码(PHP / MySQL)
[英]How to Store Passwords in Databases and Cookies (PHP/MySQL)
问题描述
Having read this article and many others out there on how to 
not store passwords in databases and cookies, I'm wondering now how I should do it... 读完这篇文章和其他许多人在那里如何不存储在数据库和饼干密码,我现在不知道我应该怎么办呢?
What I've come up so far (after reading around a bit) is taking the clear-text user password, padding it with salt till it fills up 512 bits (64 bytes => 64 chars, since the page is non-unicode), and then doing 到目前为止(在阅读了一番之后),我想出的是明文用户密码,用盐填充,直到它填满512位(64字节=> 64个字符,因为页面是非Unicode的) ,然后做
$pwhash = hash('sha512', $saltedpw);
for ($i=0; $i<1000; $i++)
$pwhash = hash('sha512', $pwhash);
Then I would store (UserName, HashedPw, Salt) in the database, but what do I do about the cookie (to identify users that want to stay loogend-on after the session has expired)? 然后,我将(UserName,HashedPw,Salt)存储在数据库中,但是我对cookie采取什么措施(以识别在会话期满后仍希望保持打开状态的用户)?
3 个解决方案
解决方案1
7 已采纳 2009-10-03 17:25:18
First, calling hash 1000 times does not help anything, once is enough. 首先,调用hash 1000次无济于事,一次就足够了。
For remembering the user login in cookie you have two options: 为了记住用户在cookie中的登录,您有两个选择:
- As has been said, you can generate a random token and store it in the database along with the user information. 如前所述,您可以生成一个随机令牌并将其与用户信息一起存储在数据库中。 When a user with no session cookie enters the site, you check if there is a cookie with the token and do a DB lookup. 当没有会话cookie的用户进入站点时,您将检查是否存在带有令牌的cookie并进行数据库查找。 If you found a user with such a token, log them in. You might want to do some additional checks, like whether the current IP is the same as the IP when they first logged in. 如果找到具有此令牌的用户,则将其登录。您可能需要进行一些其他检查,例如当前IP与他们首次登录时的IP是否相同。
- You can store the user ID in the cookie, but then you have to sign the data using a secret key to make sure the user can't just modify it. 您可以将用户ID存储在cookie中,但随后必须使用密钥对数据进行签名,以确保用户不能只是对其进行修改。 HMAC -SHA-1 is a good way to do that. HMAC -SHA-1是执行此操作的好方法。 The advantage is that you don't have to store any additional data in the database. 优点是您不必在数据库中存储任何其他数据。 You only have to verify the signature and do a lookup on the user ID. 您只需要验证签名并在用户ID上进行查找即可。 The disadvantage is that you have to make sure the signature code is secure (HMAC-SHA-1 with a longer secret key should do that). 缺点是您必须确保签名代码是安全的(具有较长密钥的HMAC-SHA-1应该这样做)。
解决方案2
0 2009-10-03 17:11:04
In the database store only password hashcode, and cookie should contain session id, often called SID . 在数据库存储区中,仅密码哈希码和cookie应该包含会话ID,通常称为SID 。 In another table store all SID (with userID ) and thats all. 在另一个表中,存储所有SID (带有userID ),仅此而已。 But don't forget that PHP has build in very simple and usefull session api, use it better :) 但是不要忘了PHP已经内置了非常简单和有用的会话api,请更好地使用它:)
解决方案3
0 2009-10-03 17:11:22
You do not have to store the password of the user in the cookie. 您不必在Cookie中存储用户密码。 You can generate a long random string (similar to a sessionid) that you store in the database and in the cookie. 您可以生成一个长的随机字符串(类似于sessionid),该字符串存储在数据库和cookie中。 You can change that string everytime the session expires and the user comes back. 您可以在会话期满和用户回来时每次更改该字符串。 When a user accesses the site you can check the cookie value against the database and see who the user is. 当用户访问站点时,您可以对照数据库检查cookie值,并查看用户是谁。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.