我如何获得Cookie?
[英]How Can I Secure the Cookie?
问题描述
I use to cookie for Remember Me functionality. 
我使用cookie来记住我的功能。
This is how i set the cookie: 这是我设置Cookie的方式:
$value = $dbusername.'|'.$dbpassword;
setcookie('abc', $value,time()+60*60*24*180, '/');
Retrieve cookie: 检索Cookie:
$cookie = $_COOKIE['abc'];
$values = explode("|", $cookie);
$username_ck = $values[0]; //ck stands for cookie
$password_ck = $values[1];
What is a good way to secure my cookies (username/password)? 保护我的Cookie(用户名/密码)的一种好方法是什么? The password in my database is stored in plain text. 我数据库中的密码以纯文本格式存储。 I don't want to to encrypt the password in db. 我不想加密db中的密码。
6 个解决方案
解决方案1
3 2011-09-08 22:39:45
You should NEVER, EVER, EVER, EVER store plaintext passwords in your database. 您永远,永远,永远,永远都不应在数据库中存储纯文本密码。 Just google 'plaintext passwords in database' to find out why. 只需在Google“数据库中的纯文本密码”中查找原因即可。 You password should be stored as (at least) a SHA1 hash, along with a random salt, in the database. 您的密码应(至少)作为SHA1散列以及随机盐存储在数据库中。
You can't secure you cookie the way you're doing it. 您无法按照自己的方式保护Cookie。 You're leaving yourself open to cross-site request forgery, if not worse. 您甚至可以跨站点请求伪造,甚至更糟。 You should also generate a secure random hash to sign the cookie (if not encrypt it) so that its validity can be assured. 您还应该生成一个安全的随机散列来对cookie进行签名(如果不对其进行加密),以便可以确保其有效性。 But nothing password related should ever end up in the cookie; 但是,与Cookie相关的任何密码都不应最终出现在Cookie中; if you need to store private data in the session (which you should avoid anyhow), you should store the session in the DB or memcache. 如果需要在会话中存储私有数据(无论如何应避免),则应将会话存储在数据库或内存缓存中。
I'm only trying to be helpful, but this method of session maintenance is beyond insane. 我只是想提供帮助,但是这种会话维护方法非常疯狂。 Please, please, please reconsider. 请,请,请重新考虑。
解决方案2
3 已采纳 2011-09-08 22:39:51
First you should NEVER EVER store passwords in plain text db! 首先,永远不要将密码存储在纯文本数据库中!
Second: you should NEVER EVER store passwords in plain text in cookies! 第二:永远不要将纯文本密码存储在Cookie中!
Third: if you use cookies to implement something like a remember me option you don't need to store the password in the cookie, but rather a random token stored in both the db and the cookie which automatically gets invalidated every time the user logs on and also create a new one every time the user logs in. 第三:如果您使用Cookie来实现类似“记住我”的选项,则无需将密码存储在Cookie中,而是将随机令牌存储在db和Cookie中,每次用户登录时该令牌都会自动失效并在用户每次登录时创建一个新的。
Also did I already mention to NEVER EVER STORE PASSWORDS IN PLAIN TEXT ? 我也已经提到过“ 从不在纯文本中存储密码”吗?
EDIT 编辑
Please also checkout: http://jaspan.com/improved_persistent_login_cookie_best_practice 请同时结帐: http : //jaspan.com/improved_persistent_login_cookie_best_practice
Which describes the best way of using cookies (basically a step-by-step explanation of what I already tried telling you). 其中介绍了使用Cookie的最佳方法(基本上是我已经尝试告诉您的逐步说明)。 I say the best way since I haven't found a better way yet :) 我说最好的方法,因为我还没有找到更好的方法:)
解决方案3
1 2011-09-08 22:39:20
You should never store passwords in a cookie since it display them as plain text. 您永远不要将密码存储在cookie中,因为它会将密码显示为纯文本。 If a hacker catches that cookie and opens it up and find the password, it's only a matter of time before they find the username. 如果黑客捕获了该cookie并打开它并找到密码,那么他们找到用户名只是时间问题。
Bad Practice store everything you need in a database and start using $_SESSION[] 不良做法将您需要的一切存储在数据库中,并开始使用$ _SESSION []
解决方案4
0 2011-09-08 22:39:44
You should really encrypt your password. 您应该真正加密密码。 At least use md5 for it, if you want to compare an input by the user with that value from the database just encrypt that input and compare it... 至少要使用md5,如果您想将用户的输入与数据库中的值进行比较,只需对该输入进行加密并进行比较...
One more thing, you shouldn't store a password in a cookie. 还有一件事,您不应该在Cookie中存储密码。
解决方案5
0 2011-09-08 22:47:50
Add in the user table a field called remember_key VARCHAR 32 添加在user表名为场remember_key VARCHAR 32
When the user log-in set this in the user table: 用户登录时,请在用户表中进行以下设置:
$remember = md5(uniqid(mt_rand(), true));
update query: 更新查询:
"UPDATE user SET remember_key = $remember WHERE id = $id"
When the user re-enter to the page query the cookie in the user table: 当用户重新进入页面时,查询用户表中的cookie:
"SELECT * from user WHERE remember_key = " . esc($_COOKIE['remember'])
if ($num_rows == 1) $login = true;
Sorry pseudo code and also dont forget to escape strings 对不起,伪代码,也不要忘记对字符串进行转义
I will update the answer 我将更新答案
解决方案6
0 2011-09-08 22:49:32
I believe you should replace that whole code to be honest and do some research into sessions. 我相信您应该诚实地替换整个代码,并对会话进行一些研究。 The reason I say that is because; 我之所以这样说是因为;
Firstly, your sessions are already secure. 首先,您的会话已经安全。 What a session does is put 1 cookie with a token on the users computer, and store the rest of the data on the server. 会话执行的操作是将1个带有令牌的cookie放在用户计算机上,并将其余数据存储在服务器上。 So you don't necessarily need to encrypt the password and username, yet you can still have some strength. 因此,您不一定需要加密密码和用户名,但是您仍然可以保持一定的实力。
Secondly, people across multiple IP's can't copy sessions, as they are checked against a computer name and other simple stuff to ensure authenticity. 其次,跨多个IP的人员无法复制会话,因为他们会根据计算机名称和其他简单内容进行检查以确保真实性。
Thirdly, sessions are a lot quicker then cookies. 第三,会话比cookie快得多。 Every time a page is loaded, the browser has to send ALL the cookies to the server. 每次加载页面时,浏览器都必须将所有cookie发送到服务器。 This can be quiet a lot of memory. 这样可以安静很多内存。 Where as a session only has one cookie. 会话中只有一个cookie。
To store session data, you can do the following: 要存储会话数据,您可以执行以下操作:
session_start(); //Has to go at the top of your page! On each page that uses a session.
$_SESSION['USERNAME'] = $dbusername;
$_SESSION['PASSWORD'] = $dbpassword;
//And to retrieve you just call back the parameter.
$username = $_SESSION['USERNAME'];
Checkout the PHP Manual for more information. 查看PHP手册以获取更多信息。 http://www.php.net/manual/en/session.examples.basic.php http://www.php.net/manual/zh/session.examples.basic.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.