Having read this article and many others out there on how to store passwords in databases and cookies, I'm wondering now I should do it... 存储在数据库和饼干密码,我现在不知道我应该办呢?
What I've come up so far (after reading around a bit) is taking the clear-text user password, padding it with salt till it fills up 512 bits (64 bytes => 64 chars, since the page is non-unicode), and then doing
$pwhash = hash('sha512', $saltedpw);
for ($i=0; $i<1000; $i++)
$pwhash = hash('sha512', $pwhash);
Then I would store (UserName, HashedPw, Salt) in the database, but what do I do about the cookie (to identify users that want to stay loogend-on after the session has expired)?
First, calling hash
1000 times does not help anything, once is enough.
For remembering the user login in cookie you have two options:
In the database store only password hashcode, and cookie should contain session id, often called SID
. In another table store all SID
(with userID
) and thats all. But don't forget that PHP has build in very simple and usefull session api, use it better :)
You do not have to store the password of the user in the cookie. You can generate a long random string (similar to a sessionid) that you store in the database and in the cookie. You can change that string everytime the session expires and the user comes back. When a user accesses the site you can check the cookie value against the database and see who the user is.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.