How do I handle user authorization the safest way?_问答_开发者

How do I handle user authorization the safest way?

开发者 https://www.devze.com 2023-01-03 18:36 出处：网络

I\'m developing a small website where I\'m going to allow user to create accounts but I\'m quite clueless when it comes to safety around authorizations.

I'm developing a small website where I'm going to allow user to create accounts but I'm quite clueless when it comes to safety around authorizations.

I have built my project in PHP with codeigniter and found a library (Tank Auth) that could handle authorization for me. It stores password in a safe way but I'm still worried about the part when the user sends their password to my server.

One easy way to do it would be to send the password in a post-request but I would guess that it's quite easy to sniff such a password. Should I do something with the password on the client side before sending it to my server? And is there开发者_JAVA百科 any good javascript libraries for this?

As others have said SSL is the prefered way to go.

David Wotever metioned hashing - there's a detailled discussion of the process here

An alternative approach would be to rely exclusively on external providers to handle your authentication for you - openid being the most obvious candidate.

HTH

You can muck around with client-side hashing, but in general POSTing the credentials over a secure (HTTPS) connection is considered sufficient.

This still leaves the possibility of MITM attacks… But performing an MITM attack on an SSL connection isn't entirely trivial, so it's probably not an attack vector you need to be too concerned with.

You say that SSL is too expensive for you, but most hosts offer it for free. The expensive part is getting a private IP address and formal certificate.

However, you could create your own certificate which would mean that all the details are still transmitted securely, it's just your identity that can't be guaranteed. As mentioned by David Wolever, MITM attacks are much harder to do; and anyway are probably not a concern for a hobby site.

Once (if) your site evolves out of being a hobby then you can invest in an assured certificate then.

Authentication via SSL is probably the easiest and most secure way.

If you encrypt it in something like rot13 etc.. it's easily undoable.

As mentioned also, you would want to make sure that your website's security isn't relying on Javascript as that can easily be turned off.

Any other operations performed on the client side can easily be broken.