[英]Login page vs. htpasswd - Which is more secure?
Given a simple login system (register and login), which of the two choices is more secure:给定一个简单的登录系统(注册和登录),两种选择哪个更安全:
User info consists purely of username-password.用户信息纯粹由用户名密码组成。
Of course, best-case is assumed for both options: MySQL injections are accounted for, password is md5/sha1/md5+sha1/any other means encrypted, etc.当然,这两个选项都假设为最佳情况:考虑 MySQL 注入,密码是 md5/sha1/md5+sha1/任何其他加密方式,等等。
In case you're wondering, in the first case, php will add user credentials to the htpasswd file.如果您想知道,在第一种情况下,php 会将用户凭据添加到 htpasswd 文件中。 (seethis question for an example implementation.)
(有关示例实现,请参阅此问题。)
I'd say always the login form (by which I assume you mean standard session-based authentication).我总是说登录表单(我假设您的意思是标准的基于会话的身份验证)。
.htaccess
authentication transmits the password on every request (Of course, SSL would help here) .htaccess
身份验证在每个请求上传输密码(当然,SSL 在这里会有所帮助)
.htaccess
authentication doesn't have any rate limiting / brute-force protection by default in Apache .htaccess
身份验证在 Apache 中默认没有任何速率限制/蛮力保护
Logging out from .htaccess
authentication is a bitch从
.htaccess
身份验证注销是个婊子
There is pretty much no difference between the 2 ways in terms of in flight security.在飞行安全方面,这两种方式几乎没有区别。 but Pekka's concerns are all valid.
但佩卡的担心都是有道理的。 If you just want to use HTTP Basic Auth (ie the popup box) as opposed to a login form, you can do it via PHP.
如果您只想使用 HTTP 基本身份验证(即弹出框)而不是登录表单,您可以通过 PHP 来完成。 by looking for
$_SERVER['PHP_AUTH_USER']
and if you don't find it send back a 401 response such as:通过寻找
$_SERVER['PHP_AUTH_USER']
如果你没有找到它发回 401 响应,例如:
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="MY REALM"');
header('HTTP/1.0 401 Unauthorized');
echo 'Please Contact us if you are having problems logging in';
exit;
} else {
//not their first time through
//check their username and password here
$username = trim($_SERVER['PHP_AUTH_USER']);
$password = trim($_SERVER['PHP_AUTH_PW']);
//do login
}
This way you can do rate limit/brute force detection.这样您就可以进行速率限制/蛮力检测。 Set a session, so that the passwords isn't sent with each request, and makes logging the user out and tracking them way easier.
设置 session,这样密码就不会随每个请求一起发送,并使用户注销和跟踪更容易。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.