开发者

A login token system

开发者 https://www.devze.com 2023-01-05 03:12 出处:网络
I am currently creating a very basic piece of D开发者_JS百科BMS software - I would however like the user not to have to type in their details every time. Instead I would like them to click on a contro
相关专题:asp-classicsql-server

I am currently creating a very basic piece of D开发者_JS百科BMS software - I would however like the user not to have to type in their details every time. Instead I would like them to click on a control pannel link that would log them straight in.

My solution thus far has been a token system whereby there is a table in the database with the login details for that user accompanied by a tokenString - the user simply goes to a page passing the tokenString as a post variable and it logs them in.

Is this a good idea?

Many Thanks, J Harley

It's not completely secure, but you are making an ease of use tradeoff. So if the page you display the links on changes the tokens for each person's login every time it is loaded (and makes the tokens expire after some short time period), you'd prevent the link from getting out into the wild or someone hacking their email and getting an old login link.

I realize this is over 9 years old, but have you heard of "Hardened Stateless Session Cookies"?

The Fu et al. scheme [of stateless session cookies] has the property that an attacker who can read the cryptographic key stored in the database can create spoofed cookies. [...] It’s good practice in security engineering to design systems with the widest possible range of attacker capabilities in mind. I therefore designed a cookie scheme which would do all that the Fu et al. design did, but also maintained some of its security properties if the attacker has read-access to the authentication database and knows the cookie authentication key. I published a paper on this topic — Hardened stateless session cookies — at the 2008 Security Protocols Workshop.

The trick behind my scheme is to store the hash of the user’s password in the cookie, and the hash of that in the authentication database. This means that it’s possible for the server to verify cookies, but the authentication database doesn’t contain enough information to create a fake cookie. Thus an attacker with read-access to the database still needs to know the user’s password to log in, and that isn’t stored. There are some additional subtleties to resist different attacks, and those are described in the paper.

0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

关注公众号

热门标签

图文推荐

Delphi - Custom drawing a message list

Delphi - Custom drawing a message list
C++ header-only include pattern

C++ header-only include pattern
IE7 Margin Collapses Into Padding

IE7 Margin Collapses Into Padding
in CoffeeScript, how can I use a variable as a key in a hash?

in CoffeeScript, how can I use a variable as a key in a hash?
Interactive visualization of a graph in python [closed]

Interactive visualization of a graph in python [closed]
How to customise PHP MYSQL tables?

How to customise PHP MYSQL tables?
High quality, simple random password generator

High quality, simple random password generator
Image Recognition ApI in android

Image Recognition ApI in android

开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9