2

I'm building a website with HTML5, CSS, JavaScript, PHP and MySQL DB. I've created a login page and a 'create new user page' and would like to have an email send to active the user account. What I've built now is working but I would like to verify that I'm doing it safe enough.

When creating the user account I use this code:

$Allowed_Chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;
$Blowfish_Pre = 'xxxxxxxxxxx';   <- not sure if that is something I can share with anyone
$Blowfish_End = 'xxxxxxxxxxx';   <- not sure if that is something I can share with anyone

$Salt_Length = 21;
$mysql_date = date( 'Y-m-d' );
$salt = "";
for($i=0; $i<$Salt_Length; $i++)
{
    $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;
$hashed_password = crypt($password, $bcrypt_salt);
$activationkey = crypt( $hashed_password . $uname);

(I use the hash_pass + uname to create a new hash for $activationKey, without salt.)

In the database I then store: uname, hashed_password, salt, activationkey and I set a flag that shows the account is NOT activated.

Then I send an e-mail to the user with the activationkey included.

When they user clicks the link I search for the e-mail addres and activationkey. If found I clear the activationkey field in the database and set the flag to show the user is activated and then redirect the user to the activation page.

Would love to hear your thoughts on this.

Gabrie

4

1 回答 1

0

不,这不是您应该做的,crypt() 的参数需要某种格式,否则您将无法获得 BCrypt 值并且盐将不安全。在 PHP 5.5 中有一个名为password_hash()的函数可以完全解决您的问题,对于早期版本,存在来自同一作者的兼容包,使用此函数是“面向未来的”。

激活密钥最好不要从其他参数派生,只需生成一个随机令牌并将此令牌发送给用户。在数据库中,您仅存储此令牌的哈希值。该系统也可用于生成密码重置链接。您可以在此处找到此类令牌的示例实现。

于 2013-09-08T11:28:04.623 回答