phpass和hash_hmac有什么区别?
[英]What's the difference between phpass and hash_hmac?
问题描述
I'm trying to store a password in a cookie. 
我正在尝试将密码存储在cookie中。 Stackoverflow seems to recommend hash_hmac but wordpress uses phpass? Stackoverflow似乎推荐hash_hmac但wordpress使用phpass?
What's the difference from a security perspective and which should be used? 从安全角度看应该使用哪些区别?
1 个解决方案
解决方案1
4 2011-03-05 19:00:48
This is a really bad idea. 这是一个非常糟糕的主意。 You should use session_start() , which does everything for you and then you can use $_SESSION to store information about that user. 您应该使用session_start() ,它会为您完成所有操作,然后您可以使用$_SESSION来存储有关该用户的信息。 If you store a password hash in the database and use it as a cookie then you totally undermine the purpose of hashing passwords. 如果您在数据库中存储密码哈希并将其用作cookie,那么您完全破坏了哈希密码的目的。 An attacker can use sql injection to obtain the hash and then just login without having to crack the hash. 攻击者可以使用sql注入来获取哈希,然后只需登录而不必破解哈希。
Wordpress was vulnerable to this a few years ago. 几年前Wordpress很容易受到攻击。 That code base has had some very serious security problems. 该代码库存在一些非常严重的安全问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.