将用户ID和密码哈希存储在cookie中以进行自动登录? vBulletin类型的身份验证是否可以接受?
I'm setting up a user account system on my web site. The SO consensus seem to be reflected in this SO question/article. It recommends this approach by Charles Miller to store the username and a large random number 1) in a cookie and 2) in a separate table in the DB. The user can be reauthenticated in each subsequent session by querying this table using the cookie (if it exists). If a match is found, then a new $_SESSION is set for that session. It supports simultaneous logins from different computers.
My question...
Prior to reading security questions on SO, I was thinking about storing user information in a way similar to the way vBulletin does it. As I understand it, they store the user id and the hashed password in separate cookies on the user's browser.
After the user logs in, they use a $_SESSION variable (e.g. something like $_SESSION['user_hash']) to maintain the authentication for each page request. I don't have access to vBulletin software, but I assume that $_SESSION['user_hash'] is maintained in a separate MySQL table along with another piece of identifying information - e.g. user id/password hash/other - in order to enable logins from different computers.
I was thinking about creating the hash by doing this:
$_SESSION['user_hash'] = $random_hash = sha1(uniqid(rand(), true));
For future sessions, if $_SESSION['user_hash'] does not exist, then those two cookies can be used to auto-login this person for a new session. I would plan on implementing the $_SESSION security measures outlined in this SO question .
Is the vBulletin approach acceptable from a security standpoint? If storing the user id and the hashed password in a cookie is problematic, would encrypting them alleviate some security concerns? Or could something else be done to secure the cookies?
Thanks for any suggestions.
我在我的网站上设置了一个用户帐户系统。 SO的共识似乎反映在这个SO问题/文章 a >。 它建议Charles Miller 这种方法存储用户名和大量随机 数字1)在cookie中和2)在DB中的单独表中。 通过使用cookie(如果存在)查询此表,可以在每个后续会话中重新验证用户。 如果找到匹配项,则为该会话设置新的 我的问题... p>
在阅读有关SO的安全问题之前,我在考虑存储用户信息 以类似于vBulletin的方式。 据我了解,他们将用户ID和散列密码存储在用户浏览器的单独cookie中。 p>
用户登录后,他们使用 我正在考虑通过这样做来创建哈希: p>
对于将来的会话,如果 从安全角度来看,vBulletin方法是否可以接受? 如果将用户ID和散列密码存储在cookie中是有问题的,那么加密它们会减轻一些安全问题吗? 或者可以采取其他措施保护cookie? p>
感谢您的任何建议。 p>
div> $ _ SESSION code>。 它支持来自不同计算机的同时登录。 p>
$ _ SESSION code >变量(例如 $ _ SESSION ['user_hash'] code>)来维护每个页面请求的身份验证。 我无法访问vBulletin软件,但我认为 $ _ SESSION ['user_hash'] code>与另一条识别信息一起维护在一个单独的MySQL表中 - 例如 用户ID /密码哈希/其他 - 为了启用来自不同计算机的登录。 p>
$ _ SESSION ['user_hash'] = $ random_hash = sha1(uniqid(rand(),true));
code> pre>
$ _ SESSION ['user_hash'] code>不存在,那么这两个cookie可用于自动登录此人进行新会话。 我打算实施这个 SO问题中列出的 $ _ SESSION code>安全措施 a>。 p>
The problem with this approach is that there is far more potential for session hijacking than with a standard session cookie. If I were to steal that cookie, I would potentially be able to access the user's account for as long as they don't change their password. If session authentication uses a session ID that's unique to the session, it's easy enough to set the sessions to time out after a period of inactivity by storing the last activity time in the database.
Another thing is that I would argue you are overcomplicating your own code. You're already using PHP's sessions, which I've always found to work very well, so why not just store the PHP session ID and a link to the user record in the database in your user sessions table? What more do you gain from setting another cookie with your own hash in it? That's why PHP is such a nice language to use because a lot of these high level functions, such has session handling, are already done for you