英文:
Ways of adding Account Capabilities to Web App
问题
在我迄今构建的需要帐户功能的Web应用程序中,我使用了以下结构:一旦注册,每个用户将被随机分配一个ID号。一旦用户登录,他们的ID将存储在其设备上的Cookie中,这将帮助网站(客户端)知道是否以及谁登录了。这种解决方案的问题在于,假设一个黑客能够访问数据库,他们将无法看到每个用户的密码(因为我将它们存储为散列),但他们将能够看到他们的ID。因此,如果那个黑客将他们的ID Cookie更改为另一个用户的ID,他们可以轻松地进行黑客攻击,而不必触及其密码(或者登录页面,无论如何都不必触及!)
您是否推荐另一种方式来添加帐户功能到我的应用程序(用于识别是否以及谁登录),而不会 comprom 权安全性?
英文:
In the web apps I have built so far that needed account capabilities I have used the following structure : Once signing up, each user would be randomly assigned an ID number. Once the used would sign in, their ID would be stored in a cookie on their device, which would help the website (client-side) know if and who signed in. The problem with this solution is that if, hypothetically, a hacker got access to the database, they wouldn't be able to see the passwords of each user (as I store them hashed), but they would be able to see their ID. Therefore, if that hacker were to change their ID cookie to an ID of another user, they could easily hack them without ever touching their password (or the sign in page for that matter!)
Would you recommend another way of adding account capabilities to my app (when it comes to identifying if and who signed in) without compromising security?
答案1
得分: 2
不要使用用户ID,而要使用临时会话ID。当用户登录时,在该会话中存储用户ID。然后攻击者仍然可以窃取会话ID并使用它。
因此:
- 经常使会话失效。
- 如果有任何重要请求,请强制用户重新进行身份验证。
- 每次重新身份验证都会更改会话ID。
- 确保会话ID的所有传输都是安全的(例如,使用Cookie,仅使用HTTPS,最好不要使用公共证书,而是使用客户端证书)。
英文:
Don't use user-IDs, use temporary session-IDs. When a user logs in, in that session the user-ID is stored. Then the attacker can still steal the session-ID and use it.
Therefore:
- Invalidate sessions often.
- If there is any important request, force the user to re-authenticate.
- Every (re-)authentication changes the session-ID.
- Secure all transports of the session-IDs (e.g. use cookies, HTTPS only, better not with public certificates but with client certificates).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论