荣耀彩票代理

IT技术互动交流平台

打造一个安全的用户名密码登陆系统

作者:佚名  发布日期:2016-08-02 21:13:26

荣耀彩票代理 ZHUANXIEYU 2016NIAN8YUE1RI XIUGAIYU 2016NIAN8YUE2RI FENLEIBIANCHENGZAJI BIAOQIANAngularJS /Express /Node.js /Waterline /ANQUAN

HENDUODEWANGLUOYINGYONGDOUYOUJIYUYONGHUMINGMIMADEDENGLUGONGNENG,ERJUEDADUOSHUDEDENGLUDOUHAOWUANQUANXINGKEYAN,BUKUAZHANGDESHUO,DADUOSHUDECHENGXUYUANGENBENBUZHIDAOZENYANGQUBAOZHENGYONGHUMINGHEMIMADEANQUAN。

安全的标准

YAOXIANGYIGEDENGLUXITONGANQUAN,ZHISHAOYAOBAOZHENGYIXIAJIGEFANGMIAN。

原始密码的安全

HENDUORENDUIYUYONGHUDEYUANSHIMIMAANQUAN,HAITINGLIUZAIBUBEIFEIFADISANFANGHUOQUDECENGMIANSHANG,DANSHIJISHANG,YUANSHIMIMADEZUIDAWEIXIE,WANGWANGLAIZIYUXITONGDEKAIFARENYUANHEFUWUQIDEGUANLIRENYUAN。ZHEIXIERENKENENGSHIYOUYISHOUJI,YEKENENGSHIWUYIXIELU,WANGWANGSHIYONGHUYUANSHIMIMADEXIELUDEZUIKUIHUOSHOU。ZAIGOUJIANDENGLUXITONGDESHIHOU,YINGGAICONGGENBENSHANGBIMIAN,ZUODAOZHIYOUYONGHUZIJIHEJIANPANJILUQICAIZHIDAOYUANSHIMIMA。

荣耀彩票代理NEIRUHEZUODAOZHEIYIDIANNI?SHOUXIANYIDIANJIUSHIYIDINGYAOZAIKEHUDUANJINXINGMIMAJIAMI,ZHEIKEYISHIDEHOUDUANNADAODEMIMAYIJINGSHIJIAGUOMIDE,YILAIFUWUQIJIECHUBUDAOYUANSHIMIMA,ERLAIJIUSUANTONGXINBEIJIANTING,DISANFANGJIUSUANNADAOLEKEYIYONGLAIDENGLUDEKEHUDUANJIAMIMIWEN,YEWUFAHUOZHIYONGHUDEYUANSHIMIMA。

哈希:不可逆加密

荣耀彩票代理MIMAJIAMIBUTONGYUPUTONGDEJIAMI,YISHINEIRONGZHONGYAO,ERSHIMIMADEYANZHENGGENBENBUXUYAOYUANWEN,YAOJIANCHAYIGEMIMASHIFOUZHENGQUE,ZHIXUYAOKANTAJIAMIDEJIEGUOYUZHENGQUEDEMIMAJIAMIDEJIEGUOSHIFOUYIZHIJIKE。QUEDINGLEZHEILIANGDIAN,DUIYUJIAMIDEFANGFA,JIUZHIYAOQIUTONGYIGEZIFUCHUANJIAMIHOUHUIDEDAOTONGYANGDEMIWEN。HAXIWANQUANMANZULEZHEIYIYAOQIU。

荣耀彩票代理ZAIHAXISUANFAZHONG,SHOUXUANSHI SHA2 XILIE,SUIRANANQUANYOUYU SHA1 DEYUANYINERBEIZHIYI,DANZHISHAOMUQIANHAIMEIYOUZHENGMINGYOUSHENMEPILOU。MD5 YOUYUYONGDETAIDUO,ERQIECAIHONGBIAOSHIZAIGUOYUFANLAN,BINGBUTUIJIANSHIYONG。

LINGWAIYIGEWENTI,HAXIYIBIANSHIBUSHIJIUGOULENI?DANGRANBU,BUJINYAODUOCIHAXI,ERQIEHAIYAOYUYONGHUMINGYILEIDESHUJUHUNJIA,BIRU,KEYISHIYONGXIAMIANDEFANGSHILAIZAIKEHUDUANJIAMIYUANSHIMIMA:

sha256(
  sha265(sha265(password)) + sha265(username)
)

ZHEIYANG,BUJINKEYIZENGJIAMIWENFANTUIYUANWENDENANDU,HAIJIARUYONGHUMING,SHIDEJIUSUANMIMAXIANGTONG,BUTONGYONGHUDEMIWENYEWANQUANBUYIYANG。

荣耀彩票代理ZAIKEHUDUANDEJIAMI,JIBENSHANGYEJIUZHINENGDAOZHEIYIBULE,YINWEIYIGEZUIZHUYAODEWENTISHI,KEHUDUANDEJIAMISUANFASHIGONGKAIDE。

盐:混入随机数据

SUIRANZAIKEHUDUANDUIMIMAJINXINGLEJIAMI,DANWULUNSHISUANFA,HAISHIHUNRUDEYONGHUMING,DOUSHIGONGKAILEDE。SHENGXIADEJIAMI,JIUXUYAOLIUJIHOUDUANLE。

YOUYUDUITONGYIZIFUCHUANJINXINGHAXIDEJIEGUOSHIHENGDINGDE,SUOYIZHIDAOLESUANFAHEMIWEN,LILUNSHANGSHIKEYIFANTUICHUMIMADE,FANTUIDENANDUQUJUEYUYONGHUYUANSHIMIMADEFUZADU。NEIRUHECAINENGGOURANGFANTUIDENANDUZHISHUJIZENGDANI?DAANSHIZAIYUANSHIMIMAMIWENDEJICHUZHISHANG,ZAIJIARUYIGESUIJIZIFUCHUAN,CONGERDADAORANGYONGHUDEMIMAGENGFUZADEXIAOGUO。ZHEIGESUIJIZIFUCHUAN,BIANSHIYAN。

荣耀彩票代理HOUDUANHUOQUDAOKEHUDUANCHUANLAIDEMIMAZHIHOU,ZAITONGGUOJIAYANHAXIJINXINGZAIJIAMI。BIRUXIANGXIAMIANZHEIYANG:

sha256(
  sha256(username + sha256(password + salt)) + salt + sha256(username + salt)
)

ZHUYI,YANDEBAOCUNFEICHANGGUANJIAN,WUBIJIANGTAYUYONGHUXINXIFENKAICUNFANG。

密文和盐的更新与不可追溯

XIANZAIMIMAYIJINGFENBIEZAIKEHUDUANHEHOUDUANDUOCIHAXI,HAIJIALEYAN,HAOXIANGYIJINGHENANQUANLE。DANQISHI,WOMENHAIKEYIGENGANQUAN。NEIJIUSHIJINGCHANGBIANGENGYAN,RANGYONGHUXINXIBIAOZHONGDEMIWENZIDUANZHIYEJINGCHANGBIANHUA。ZHEIYANG,CHUFEITONGSHINADAOYONGHUXINXIHEYAN,FOUZEYIRANWUXIAO。

NEISHENMESHIHOUBIANGENGYANHEMIWENNI?YOUYUHOUDUANSHIBUCUNCHUKEHUDUANHAXIDEMIWENDE,SUOYIZHIYOUZAIDENGLUDESHIHOU,CAINENGGOUJINXINGYANHEMIWENDEXIUGAI。

用户名本身可以加密吗?

ZHEIGEXIANGFAHAOXIANGYOUDIANBUKAOPU,DANSHIJISHANG,YONGHUMINGRUGUOZHISHIZUOWEIDANCHUNDEDENGLUPINGZHENG,QISHISHIKEYIXIANGMIMAYIYANGJIAMIDE。YINWEIWULUNSHIZHUCE、DENGLUHAISHIZHAOHUIMIMA,DOUBUXUYAOYONGHUMINGDEYUANWEN。DANZHUYI,YONGHUMINGZHINENGHAXI,BUNENGJIAYAN,FOUZEJIUMEISHENMEYIJUQUZHAOYANLE。

YONGHUMINGDEHAXIKEYIFENLIANGBUFEN,YISHIKEHUDUANHAXI,DAOLEFUWUQIDUAN,KEYIJINXINGZAICIHAXI。

荣耀彩票代理ZAIBENWENDE Demo ZHONG,JIANGBUDUIYONGHUMINGHAXI。

通信的安全

ZAIYINGYONGCENGMIANJIBENSHANGYIJINGHENANQUANLE。JIEXIALAIJIUSHIKEHUDUANHETONGXINDEANQUAN。KEHUDUANDEHUANJINGJIBENBUKEKONG,SUOYIZHINENGZAITONGXINDEANQUANSHANGXIANGBANFALE。BUGUOQISHIYEBUYONGXIANGSHENMEDUODEBANFA,ZHIJIESHIYONG HTTPS JIUXINGLE。

登陆流程

SHANGMIANZONGJIELEZENYANGBAOZHENGYIGEYONGHUMINGMIMADENGLUXITONGDEANQUAN,ZHEILIZAILAIKANKANYIGEMANZUSHANGSHUYAOQIUDEDENGLUXITONGDEDENGLULIUCHENG。ZHUCELIUCHENGXIANGDUILAIJIANGJIANDANYIXIE,SUOYIJIUBUZAIXIANGXIJIESHAO。

荣耀彩票代理Demo SHIYIGEJIANDANDE Web YONGHUMINGMIMADENGLUXITONG,DAIMASHILIYEQUZIYUTA。

浏览器登陆

浏览器主要完成以下工作:

获取用户输入的用户名及密码 通过输入的用户名和密码,进行哈希,得到浏览器端密文 将用户名和密文提交给后端

ZHUYAODAIMARUXIA,QUZI client/app.js :

// 密码与用户名的哈希
function encryptPwd(username, password) {
  username = username.toLowerCase();
  return sha256(
    username + sha256 (
      sha256(sha256(sha256(password))) + sha256(username)
    )
  );
}

$scope.login = function(){
  // 检查用户名和密码的合法性,比如是否输入,长度是否足够等
  if($scope.check()) {
    return;
  }
  $scope.successMessage = '';
  $scope.errorMessage = '';
  $scope.status = 'loading';
  // 向后端提交登陆请求
  $resource('/user/login')
  .save({
    username: $scope.username,
    password: encryptPwd($scope.username, $scope.password)
  }, function(res){
    $scope.status = 'done';
    $scope.successMessage = 'login successful!';
  }, function(reason){
    $scope.status = 'done';
    $scope.errorMessage = reason.data || 'failed';
  });
};

后端密码验证

HOUDUANDEYANZHENGLIUCHENGRUXIA:

获取前端提交的用户名及浏览器端密文 根据用户名,在数据库中查询出对应的盐 id 通过盐 id 取出对应的盐,再通过用户名、浏览器端密文和盐算出后端密文 根据用户名和后端密文到用户表查询,如果有结果,则表明登陆信息正确,返回给浏览器登陆成功的响应 生成新的盐,算出新的后端密文,并将两者更新到数据库中

 

SHIXIANDEDAIMARUXIA,QUZI app/controllers/user.server.controller.js :

function encryptPwd(usr, pwd, salt){
  usr = usr.toLowerCase();
  return sha256(
    sha256(usr + sha256(pwd + salt)) + salt + sha256(usr + salt)
  )
}

function login(req, res, next){
  // 用户名密码获取和检查已省略
  // 根据用户名,获取盐 id
  req.models.user
  .findOne({select:['username', 'saltId'], where: {username: username}})
  .exec(function(err, userDoc){
    if(err) return next(err);
    if(!userDoc) return next(new Error('username not exists'));

    // 取盐
    req.models.salt
    .findOne({id: userDoc.saltId})
    .exec(function(err, saltDoc){
      if(err) return next(err);
      if(!saltDoc) return next(new Error('can NOT find salt'));

      // 根据用户名、密码和盐推算出密文
      var pwdHash = encryptPwd(username, password, saltDoc.salt);
      // 在数据库中核对用户名和密文
      req.models.user
      .findOne({select: ['id'], where: {username: username, password: pwdHash }})
      .exec(function(err, doc){
        if(err) return next(err);
        if(!doc) return next(new Error('password error'));

        res.json({
          username: username
        });

        return updateSalt(saltDoc, userDoc, password, next);
      });
    });
  });
}

盐与密文的更新

QIANMIANFANHUIJIYONGHUCHENGGONGDENGLUDEXIANGYINGZHIHOU,DIAOYONGLEGENGXINYANHEMIWENDEFANGFA,GAIFANGFAJUTILIUCHENGRUXIA:

生成并存储新盐 根据新盐、用户名和浏览器端密文,生成新的后端密文 存储后端密文到用户信息表

SHIXIANRUXIA,QUZI app/controllers/user.server.controller.js :

function updateSalt(saltDoc, userDoc, passwordInputed, next){
  saltDoc.salt = Math.random().toString(15).substr(3, 27);
  saltDoc.save(function(err){
    if(err) return next(err);
    userDoc.password = encryptPwd(userDoc.username, passwordInputed, saltDoc.salt);
    userDoc.save(function(err){
      if(err) return next(err);
      return next();
    });
  });
}

Demo

荣耀彩票代理Demo TUOGUANZAI Github SHANG。QIANDUANCAIYONG AngularJS + Bootstrap ,HOUDUANSHIYONG Node.js + Express + MongoDB ,SHIYIGEDIANXINGDE MEAN YINGYONG 。

SHUJUCUNCHUZHEIKUAI,SHIYONGLE Waterline ZHEIGE ORM ZHONGJIANJIAN(YIQIANYECENGJINGXIEGUOLIANGPIANJIESHAOWENZHANG,KEGONGCANKAO: Node.js ORM SHUJUCAOZUOZHONGJIANJIAN Waterline 、 ZAI Express XIANGMUZHONGSHIYONG Waterline )。SHIYONGTADEMUDEZHUYAOSHIWEILEJIANGYONGHUXINXIHEYANCUNCHUDAOBUTONGDEDIFANG。BENLIZHONGJIANGYANYONG sails-disk CUNCHUDAOLEWENJIANZHONG,YONGHUXINXIYONG sails-mongo CUNCHUDAOLE MongoDB ZHONG。

git clone http://github.com/stiekel/safe-username-password-login.git
cd safe-username-password-login
npm i
npm i -g gulp
gulp

荣耀彩票代理ZAIZAILIULANQIZHONGDAKAI http://localhost:7102/ JIKE。

 

Tag标签:         
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规