堆栈内存溢出
  简体   繁体   English

登录页面与 htpasswd - 哪个更安全?

[英]Login page vs. htpasswd - Which is more secure?

 原文  2011-04-29 14:03:25       php/ .htaccess/ .htpasswd

问题描述

Given a simple login system (register and login), which of the two choices is more secure:给定一个简单的登录系统(注册和登录),两种选择哪个更安全:

  • Using htaccess and htpasswd files to store and authenticate users使用 htaccess 和 htpasswd 文件存储和验证用户
  • Using php to CRUD and MySQL (or any other database really) to store the info使用 php 到 CRUD 和 MySQL(或任何其他数据库)来存储信息

User info consists purely of username-password.用户信息纯粹由用户名密码组成。

Of course, best-case is assumed for both options: MySQL injections are accounted for, password is md5/sha1/md5+sha1/any other means encrypted, etc.当然,这两个选项都假设为最佳情况:考虑 MySQL 注入,密码是 md5/sha1/md5+sha1/任何其他加密方式,等等。

In case you're wondering, in the first case, php will add user credentials to the htpasswd file.如果您想知道,在第一种情况下,php 会将用户凭据添加到 htpasswd 文件中。 (seethis question for an example implementation.) (有关示例实现,请参阅问题。)

2 个解决方案

解决方案1
 13 已采纳  2011-04-29 14:05:15

I'd say always the login form (by which I assume you mean standard session-based authentication).我总是说登录表单(我假设您的意思是标准的基于会话的身份验证)。

  • .htaccess authentication transmits the password on every request (Of course, SSL would help here) .htaccess身份验证在每个请求上传输密码(当然,SSL 在这里会有所帮助)

  • .htaccess authentication doesn't have any rate limiting / brute-force protection by default in Apache .htaccess身份验证在 Apache 中默认没有任何速率限制/蛮力保护

  • Logging out from .htaccess authentication is a bitch.htaccess身份验证注销是个婊子

解决方案2
 5  2011-04-29 14:12:06

There is pretty much no difference between the 2 ways in terms of in flight security.在飞行安全方面,这两种方式几乎没有区别。 but Pekka's concerns are all valid.但佩卡的担心都是有道理的。 If you just want to use HTTP Basic Auth (ie the popup box) as opposed to a login form, you can do it via PHP.如果您只想使用 HTTP 基本身份验证(即弹出框)而不是登录表单,您可以通过 PHP 来完成。 by looking for $_SERVER['PHP_AUTH_USER'] and if you don't find it send back a 401 response such as:通过寻找$_SERVER['PHP_AUTH_USER']如果你没有找到它发回 401 响应,例如:

    if (!isset($_SERVER['PHP_AUTH_USER'])) {
            header('WWW-Authenticate: Basic realm="MY REALM"');
            header('HTTP/1.0 401 Unauthorized');
            echo 'Please Contact us if you are having problems logging in';
            exit;
    } else {
            //not their first time through
            //check their username and password here
            $username = trim($_SERVER['PHP_AUTH_USER']);
            $password = trim($_SERVER['PHP_AUTH_PW']);
            //do login
    }

This way you can do rate limit/brute force detection.这样您就可以进行速率限制/蛮力检测。 Set a session, so that the passwords isn't sent with each request, and makes logging the user out and tracking them way easier.设置 session,这样密码就不会随每个请求一起发送,并使用户注销和跟踪更容易。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 IF vs. SWITCH,哪个更适合这项工作?为什么? - IF vs. SWITCH and which is more suitable for this job and why? htacces / htpasswd有多安全? - How secure is htacces/htpasswd? 安全登录页面:javascript md5 function vs SSL,如果登录块在主页面上 - secure login page: javascript md5 function vs SSL, if login block is on the main page 如何保护我的登录页面 - How to secure my login page Https,Php安全登录页面? - Https, Php secure login page? file_get_contents vs cUrl。 哪个更相关,更安全? - file_get_contents vs cUrl. Which is more relevant and secure? 视图与页面计算 - Views vs. in page calculations 如何使用Codeigniter制作更安全的登录系统? - How to make more secure login system with codeigniter? 如何使此登录/重定向方法更安全 - How to make this login/redirect method more secure if($ val)vs if($ val!=“”)vs。if(!empty($ val)) - 哪一个? - if($val) vs. if($val != “”) vs. if(!empty($val)) — which one?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM