stackoom
  简体   繁体   中英

Will using the same database for client hashes, salts, and settings expose client hashes?

 原文  2014-01-09 21:25:21       javascript/ php/ html/ xml/ hash

Question

If I have an XML database on my web server; 

<Database>
    <Client sid="0123456789abcdefg" name="John Doe" email="johndoe@mail.com" hash="9876543210abcdefg" salt="abcdefg9876543210">
        <Setting>A Setting</Setting>
        <Setting>Another Setting</Setting>
    </Client>
    ...
</Database>

And I log in with the hash and salt, retrieve the SID, and redirect to the home page via PHP; 

header("Location: home.html?sid=" . $sid);

And then use the SID in the location bar via JavaScript to retrieve the user settings from , will I expose my clients' hash? 检索用户设置,我是否会公开客户的哈希?

Is there a better way, or a more standard way, to set and get user settings on the web?

PS: Unless you have a really good reason, I really, really, really, don't want to use SQL. I prefer to be able to read my databases, and I like the tangibility and versatility of XML.

After a little more research, I learned that PHP supports a system for storing SESSION[] variables. 经过更多研究,我了解到PHP支持存储SESSION []变量的系统。 This is perfect for me because I am, in fact, using sessions!

The W3C says:

"A PHP session variable is used to store information about, or change settings for a user session. Session variables hold information about one single user, and are available to all pages in one application."

Much better than exposing various data in the address bar. =)

1 answers

solution1
 1 ACCPTED  2014-01-09 22:40:25

As long as your DB file is inaccessable from HTTP (ie locked by a .htaccess or equivalent) and other protocols (ie not sitting in a directory accesable by anonymous FTP), the only risk is to (inadvertently) let the hash&salt be collected among a bunch of other user-related data and sent to your clients.

If you have requests equivalent to the SQL * selector, that might be somewhat of a problem. You might want to put the critical data into a different DB file and encapsulate the accesses in an interface dedicated to user registration and login, just to make sure no other piece of code will be able to grab them (even by mistake) from your main DB.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question XML to JavaScript hashes/arrays on the client Differing SHA1 hashes for identical values on the server and the client Different hashes with same input values using URL hashes in javascript AND anchors manipulate array of hashes using javascript why don't these stylus hashes behave the same? Javascript, creating array of hashes writes same hash Comparing hashes Show/hide divs using IDs and hashes Matching hashes using regex, but not when they are part of an url
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM