几个不错的安全性疑难杂症的是
A few good security gotcha's are
- 绝不会存储一个未加密的口令的用户数据库中的
- 绝不会存储用户密码或会话或cookie数据的密码,即使散列。
- 如果您需要有确保登录的就是保证你必须使用https。
-
never store the an un-encrypted users password in the database
-
never store the users password or even a hash of the password in session or cookie data.
- If you need to have ensure that the login is secure you have to use https.
我发现这些文章很有帮助建立登录系统与饼干:
I found these article very helpful in building login systems with cookies:
- blog post on the fishbowl.
- Improved Persistent Login Cookie Best Practice
