Rails:设计宝石是否安全?
[英]Rails: Is the devise gem secure?
问题描述
I have my authentication on my web app running on the devise gem. 
我上的色器件宝石运行我的web应用程序我认证。 I was wondering if it was secure. 我想知道它是否安全。 Yes, it stores the passwords as hashes in the database, uses encrypted tokens after logging in etc. But how about in the initial log in phase? 是的,它将密码存储为数据库中的哈希值,登录后使用加密的令牌等。但是在初始登录阶段怎么样? Does it send the user's password unencrypted over the air (I dont have SSL)? 它是否通过无线方式发送用户密码(我没有SSL)? Could it have the client encrypt it with a certain public key that only the server could decrypt? 它是否可以让客户端使用只有服务器可以解密的某个公钥对其进行加密? Or is SSL the only way to encrypt the user's password? 或者SSL是加密用户密码的唯一方法吗?
Thanks! 谢谢!
2 个解决方案
解决方案1
1 2012-05-03 10:34:19
It is secure, remember rails uses authenticity_token. 它很安全,请记住rails使用authenticity_token。 I haven't heard of issues yet. 我还没有听说过问题。
解决方案2
0 已采纳 2012-05-27 00:41:12
"Be warned that HTTP Basic Authentication transmits the username and password in clear text, so you should not use this method for applications where a higher level of security is required." “请注意,HTTP基本身份验证以明文形式传输用户名和密码,因此您不应将此方法用于需要更高安全级别的应用程序。”
http://pivotallabs.com/users/ledwards/blog/articles/1534-http-basic-authentication-and-devise http://pivotallabs.com/users/ledwards/blog/articles/1534-http-basic-authentication-and-devise
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.