php 生成密码重置密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3558291/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Generate secret code for password reset
提问by nuttynibbles
I'm doing a module which allow users to reset password. I noticed how most websites they provide a confirmation link which contain query string that has a unique hash.
我正在做一个允许用户重置密码的模块。我注意到大多数网站如何提供确认链接,其中包含具有唯一哈希的查询字符串。
My question is: How can I generate this unique hash each time the same user request forgot password? Should I store this hash in database and use it for verification later on? Will it be safe? Or should I create some sort of algorithm which generate one-time password? How can I generate a OTP?
我的问题是:每次同一个用户请求忘记密码时,我如何生成这个唯一的哈希?我应该将此哈希存储在数据库中并稍后使用它进行验证吗?会安全吗?或者我应该创建某种生成一次性密码的算法?如何生成一次性密码?
回答by Artefacto
Yes, you should
是的你应该
- Generate a random reset token. See e.g. this answer.
- Store it in the database (possibly with an expiry time)
- Send e-mail to the user with the reset token.
- User visits the reset password page with the reset token in the query string.
- Check the database to see the user associated with the reset token and if the expiry time hasn't passed.
- If everything checks out, allow the user to reset the password and delete the reset token from the database.
- 生成随机重置令牌。参见例如这个答案。
- 将其存储在数据库中(可能有到期时间)
- 使用重置令牌向用户发送电子邮件。
- 用户使用查询字符串中的重置令牌访问重置密码页面。
- 检查数据库以查看与重置令牌关联的用户以及是否未超过到期时间。
- 如果一切正常,允许用户重置密码并从数据库中删除重置令牌。
There seems to be a lot a confusion about the generation of the reset token (or whatever you want to call it). Please read the answer I've linked to and don't reinvent the wheel with hashes and weak seeds.
关于重置令牌的生成(或您想称呼的任何名称)似乎有很多困惑。请阅读我链接的答案,不要用散列和弱种子重新发明轮子。
回答by Piskvor left the building
Just using some hash function with user's ID, user's salt (you salt the user's password, right?) and pseudo-random data should be OK:
只需使用一些带有用户 ID、用户盐的散列函数(您对用户的密码加盐,对吗?)和伪随机数据应该没问题:
$pwd_reset_hash = hash ( 'sha256' , $user_id . $user_salt, uniqid("",true));
$pwd_reset_hash = hash ( 'sha256' , $user_id . $user_salt, uniqid("",true));
Store it in the DB (together with time of request) as the reset key for this user
将其存储在数据库中(连同请求时间)作为该用户的重置密钥
user_id pwd_reset_hash time_requested
===========================================
123 ae12a45232... 2010-08-24 18:05
When the user tries to use it, check that the hash matches the user and that the time is recent (e.g. "reset code is valid for 3 hours" or something like that)
当用户尝试使用它时,检查散列是否与用户匹配以及时间是否是最近的(例如“重置代码有效期为 3 小时”或类似的内容)
delete it from DB when used or expired
使用或过期时将其从数据库中删除
回答by Blizz
The way to go is indeed generate some kind of random thing and storing it in the database. As soon as the password is changed you remove the relevant record from the table so that the link cant be used again.
要走的路确实是生成某种随机的东西并将其存储在数据库中。更改密码后,您将从表中删除相关记录,以便无法再次使用该链接。
- Mail the url to the user, including the "token".
- If the link is visited, check if the token exists, allow user to change password
- Delete the token from the database.
- 将 url 邮寄给用户,包括“令牌”。
- 如果链接被访问,检查令牌是否存在,允许用户更改密码
- 从数据库中删除令牌。
As said already in the other responses, doing a SHA1 or an MD5 of the userid, combined with microtime and some salt string is usually a safe bet.
正如其他回复中所述,对用户 ID 进行 SHA1 或 MD5,结合 microtime 和一些盐字符串通常是一个安全的赌注。
回答by shamittomar
1) To generate the unique hash, mix current-time, user-id and some salt (text). For example, if your website is mysite.com, then use this code:
1) 要生成唯一的哈希,混合当前时间、用户 ID 和一些盐(文本)。例如,如果您的网站是 mysite.com,则使用以下代码:
$hash = md5(time() . $userid . 'mysite');
This will create a nice hash.
这将创建一个很好的哈希。
2) Yes, store it in database.
3) Yes, as long as you expire the hash after a fixed period of time, it will be secure.
4) No, generating one-time password usually annoys users.
2)是的,将其存储在数据库中。
3) 是的,只要您在固定的时间段后使哈希过期,它就会是安全的。
4) 不,生成一次性密码通常会惹恼用户。
