[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [PROGRAMMERING] PHP: Gemme passwordpå en forsvarlig måde.



Lars Riisgaard Ribe <sslug@sslug> writes:

> 3) Gemme brugernavn og MD5-hashed password i MySQL-tabel med et ekstra
> felt til et mysql-password. Gemme brugernavn og mysql-password i
> cookie (Fordele: Ingen relevant info whatsåever på brugerens maskine,
> men det ligger desværre stadig i db på serveren. Hvad skal skal
> hash-strengen være)?

Det er nok mig der er dum, men gider du ikke lige udspecificerer hele
din loginprocedure? Det lyder som om at du både validerer mod en
ldap-server og får et databasekodeord af brugeren?


Til autologin ville jeg absolut gemme brugerens rigtige
'credentials'[0] og så lave nogle adhoc-credentials, det kunne
foreksempel være et tidsstempel, IP-adressen samt en hash af noget
tilfældigt data (processnummer, størelsen af en logfil, antallet af
bytes sendt på eth0 og en byte fra /dev/random).

Det kræver selvfølgelig at du gemmer brugerens rigtige credientials,
men hvis din databaseserver bliver kompromiteret er du alligevel på
røven.


-- 
 Peter Makholm     |        One thing you do is prevent good software from
 sslug@sslug |      being written. Who can afford to do professional
 http://hacking.dk |                                     work for nothing?
                   |                                         -- Bill Gates


 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 22:44 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *