简体繁体 English

服务器端与客户端文件哈希

[英]Server-side vs client-side file hashing

原文 2011-04-19 14:05:27 7 3 php/ javascript/ html5/ hash

I'm about to write a little webapp/tool/widget that needs to store some files on the server. 我将要编写一些webapp / tool / widget，它需要在服务器上存储一些文件。 In order to avoid unnecessary load on the server-side, I want to create file hashes (with SHA, MD5 or whatever...) on the client side. 为了避免在服务器端造成不必要的负载，我想在客户端上创建文件哈希（使用SHA，MD5或其他...）。 It is manageable with HTML5 FileAPI, but then Opera and IE9 users will get sacked. 可使用HTML5 FileAPI进行管理，但是Opera和IE9用户将被解雇。 JAVA or Flash applets can be used instead HTML5 approach, in order to keep the application cross-browser compatible. 可以使用JAVA或Flash小程序代替HTML5方法，以保持应用程序跨浏览器的兼容性。 But since I'm not familiar with JAVA/Flash (and I would use them only in life or death situations), I'd like to stick with JS if possible. 但是由于我对JAVA / Flash不熟悉（而且我只会在生死攸关的情况下使用它们），因此，如果可能的话，我想坚持使用JS。 But all client-side suggestions are welcome... JS, JAVA, Flash, whatever... 但是欢迎所有客户端建议... JS，JAVA，Flash，无论如何...

Traditional POST method (with PHP) will do the trick regardless of user agent. 不管用户代理是什么，传统的POST方法（使用PHP）都可以解决问题。 And AFAIK it's safer. 而且AFAIK更安全。

Long story short, my question is: why should I prefer client-side over server-side hashing? 长话短说，我的问题是： 为什么我应该更喜欢客户端而不是服务器端哈希？

Can you provide some pros and cons of both approaches? 您能否提供两种方法的利弊？

3 个解决方案

Server side More load, but not that much. 服务器端负载更多，但不是很多。 Write the code, time it, measure memory usage etc. I doubt it will be a massive problem, especially if you can do it with a cron job to spread the load out if it's huge. 编写代码，安排时间，测量内存使用情况等。我怀疑这将是一个大问题，尤其是如果您可以使用cron作业将其分散开来（如果它很大），则尤其如此。

Client side You can't trust the hashes, and to verify them requires you to recalculate them on the server. 客户端您无法信任哈希，要验证它们，需要在服务器上重新计算它们。 Less server load, but if it takes a while to hash a large file this will be annoying for the user. 较少的服务器负载，但是如果散列大文件需要花一些时间，这将使用户感到烦恼。

I'd do it server side unless you have thousands of huge files every minute! 除非您每分钟都有数千个大文件，否则我会在服务器端这样做！

I tried to write some pros on doing this on the client-side but in my honest opinion you'll just be making it hard for yourself. 我试图写一些在客户端执行此操作的专家，但是老实说，您会让自己变得困难。 And how you will make sure the hash that was submitted was generated by you? 以及如何确保提交的哈希是由您生成的？ Anyone can easily use tools like Firebug and change the running code (Correct me If I'm wrong about this, never actually used it :D ). 任何人都可以轻松使用Firebug等工具并更改运行的代码（更正我，如果我对此错了，请不要实际使用它：D）。 And furthermore they can create/forge their own request and post it to your PHP file, so you would loose a lot of control. 而且，他们可以创建/伪造自己的请求并将其发布到您的PHP文件中，因此您将失去很多控制权。

So how will you check the data then? 那么，您将如何检查数据呢？ Generate another hash and check them against each other ? 生成另一个哈希并相互检查？ But then your already doing it server-side! 但是您已经在服务器端完成了！

So rather think about keeping the hashing operations server-side where you control the environment. 因此，请考虑将散列操作保留在您控制环境的服务器端。 And hashing algorithms have been around for years so I'm sure they have optimized it quite a lot. 哈希算法已经存在了很多年，所以我确信它们已经对其进行了很多优化。 And you will ensure more compatibility for your clients. 并且您将确保与客户的更多兼容性。

And if you are getting enough traffic that hashing is a major performance hit then it's maybe time to upgrade to something bigger ... 而且，如果您获得的流量足够多，以至于哈希成为主要的性能问题，那么也许是时候升级到更大的设备了……

But don't get me wrong this is very possible and makes sense - http://www.movable-type.co.uk/scripts/sha1.html - but I just can't get myself to trust this solution. 但是请不要误解我的意思，这是很有可能的，而且很有道理-http: //www.movable-type.co.uk/scripts/sha1.html-但我无法相信这个解决方案。

what if JavaScript is turned off? 如果关闭JavaScript怎么办？ You don't have to rely on JavaScript to do your work if you do it server side. 如果您在服务器端进行操作，则不必依靠JavaScript进行工作。 Would rather use the extra server resource for 100% guarantee that it is going to work! 宁愿使用额外的服务器资源以100％保证它将正常工作！