Alexander Makarov
11 years ago
1 changed files with 81 additions and 0 deletions
@ -0,0 +1,81 @@
|
||||
Security |
||||
======== |
||||
|
||||
Hashing and verifyig passwords |
||||
------------------------------ |
||||
|
||||
It is important not to store passwords in plain text but, contrary to popular belief, just using `md5` or `sha1` to |
||||
compute and verify hashes isn't a good way either. Modern hardware allows to brute force these very fast. |
||||
|
||||
In order to truly secure user passwords even in case your database is leaked you need to use a function that is resistant |
||||
to brute-force such as bcrypt. In PHP it can be achieved by using [crypt function](http://php.net/manual/en/function.crypt.php) |
||||
but since usage isn't trivial and one can easily misuse it, Yii provides two helper functions for generating hash from |
||||
password and verifying existing hash. |
||||
|
||||
When user sets his password we're taking password string from POST and then getting a hash: |
||||
|
||||
```php |
||||
$hash = \yii\helpers\Security::generatePasswordHash($password); |
||||
``` |
||||
|
||||
The hash we've got is persisted to database to be used later. |
||||
|
||||
Then when user is trying to log in we're verifying the password he entered against a hash that we've previously persisted: |
||||
|
||||
```php |
||||
if(Security::validatePassword($password, $hash)) { |
||||
// all good, logging user in |
||||
} |
||||
else { |
||||
// wrong password |
||||
} |
||||
``` |
||||
|
||||
|
||||
Random data |
||||
----------- |
||||
|
||||
Random data is useful in many cases. For example, when resetting a password via email you need to generate a token, |
||||
save it to database and send it via email to end user so he's able to prove that email belongs to him. It is very |
||||
important for this token to be truly unique else there will be a possibility to predict a value and reset another user's |
||||
password. |
||||
|
||||
Yii security helper makes it as simple as: |
||||
|
||||
```php |
||||
$key = \yii\helpers\Security::generateRandomKey(); |
||||
``` |
||||
|
||||
Encryption and decryption |
||||
------------------------- |
||||
|
||||
In order to encrypt data so only person knowing a secret passphrase or having a secret key will be able to decrypt it. |
||||
For example, we need to store some information in our database but we need to make sure only user knowing a secret code |
||||
can view it (even if database is leaked): |
||||
|
||||
|
||||
```php |
||||
// $data and $secretWord are from the form |
||||
$encryptedData = \yii\helpers\Security::encrypt($data, $secretWord); |
||||
// store $encryptedData to database |
||||
``` |
||||
|
||||
Then when user want to read it: |
||||
|
||||
```php |
||||
// $secretWord is from the form, $encryptedData is from database |
||||
$data = \yii\helpers\Security::decrypt($encryptedData, $secretWord); |
||||
``` |
||||
|
||||
Making sure data wasn't modified |
||||
-------------------------------- |
||||
|
||||
hashData() |
||||
validateData() |
||||
|
||||
|
||||
Securing Cookies |
||||
---------------- |
||||
|
||||
- validation |
||||
- httpOnly |
||||
Loading…
Reference in new issue