[英]How to Store Passwords in Databases and Cookies (PHP/MySQL)
Having read this article and many others out there on how to not store passwords in databases and cookies, I'm wondering now how I should do it... 读完这篇文章和其他许多人在那里如何不存储在数据库和饼干密码,我现在不知道我应该怎么办呢?
What I've come up so far (after reading around a bit) is taking the clear-text user password, padding it with salt till it fills up 512 bits (64 bytes => 64 chars, since the page is non-unicode), and then doing 到目前为止(在阅读了一番之后),我想出的是明文用户密码,用盐填充,直到它填满512位(64字节=> 64个字符,因为页面是非Unicode的) ,然后做
$pwhash = hash('sha512', $saltedpw);
for ($i=0; $i<1000; $i++)
$pwhash = hash('sha512', $pwhash);
Then I would store (UserName, HashedPw, Salt) in the database, but what do I do about the cookie (to identify users that want to stay loogend-on after the session has expired)? 然后,我将(UserName,HashedPw,Salt)存储在数据库中,但是我对cookie采取什么措施(以识别在会话期满后仍希望保持打开状态的用户)?
First, calling hash
1000 times does not help anything, once is enough. 首先,调用hash
1000次无济于事,一次就足够了。
For remembering the user login in cookie you have two options: 为了记住用户在cookie中的登录,您有两个选择:
In the database store only password hashcode, and cookie should contain session id, often called SID
. 在数据库存储区中,仅密码哈希码和cookie应该包含会话ID,通常称为SID
。 In another table store all SID
(with userID
) and thats all. 在另一个表中,存储所有SID
(带有userID
),仅此而已。 But don't forget that PHP has build in very simple and usefull session api, use it better :) 但是不要忘了PHP已经内置了非常简单和有用的会话api,请更好地使用它:)
You do not have to store the password of the user in the cookie. 您不必在Cookie中存储用户密码。 You can generate a long random string (similar to a sessionid) that you store in the database and in the cookie. 您可以生成一个长的随机字符串(类似于sessionid),该字符串存储在数据库和cookie中。 You can change that string everytime the session expires and the user comes back. 您可以在会话期满和用户回来时每次更改该字符串。 When a user accesses the site you can check the cookie value against the database and see who the user is. 当用户访问站点时,您可以对照数据库检查cookie值,并查看用户是谁。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.