Re: Is this secure
- From: Ray Booysen <rj_booysen_NS@xxxxxxxxxx>
- Date: Thu, 11 May 2006 13:39:35 +0100
Gef.Mongoose@xxxxxxxxx wrote:
Ray Booysen wrote:I wouldn't worry too much on the role being only in the database. If your site does become very busy, the role DB hit will be one of many "expenses" that you could look at to fix.Gef.Mongoose@xxxxxxxxx wrote:What would be considered a secure way to store passwords?Hi Gef
Paul
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
Thats a big help. I've just rewritten the password section to use sha1
+ salt. As stated in a previous post, I currently store a users role
and ID in a session var. But another poster stated this is a security
risk as the role might be changed within the session. A solution is to
just store the user ID and use it to check the role in the db each page
load. Does this sound like a safe way of doing this? I'm just concerned
about the DB getting hit each page load first for role check and then
to pull out the needed data.
Paul
For the moment, pulling from the DB shouldn't be too much of a problem.
.
- References:
- Is this secure
- From: Gef . Mongoose
- Re: Is this secure
- From: Gef . Mongoose
- Re: Is this secure
- From: Ray Booysen
- Re: Is this secure
- From: Gef . Mongoose
- Is this secure
- Prev by Date: Re: Is this secure
- Next by Date: Re: Is this secure
- Previous by thread: Re: Is this secure
- Next by thread: Re: Is this secure
- Index(es):
Relevant Pages
|
Loading
