DivineRapierH 最近的时间轴更新


V2EX 第 433213 号会员,加入于 2019-07-31 17:34:41 +08:00
根据 DivineRapierH 的设置,主题列表只有在你登录之后才可查看
二手交易 相关的信息,包括已关闭的交易,不会被隐藏
DivineRapierH 最近回复了
275 天前
回复了 s4d 创建的主题 分享发现 开启专注模式引起的误会
以下节选自 https://crackstation.net/hashing-security.htm

In a Web Application, always hash on the server

If you are writing a web application, you might wonder where to hash. Should the password be hashed in the user's browser with JavaScript, or should it be sent to the server "in the clear" and hashed there?

Even if you are hashing the user's passwords in JavaScript, you still have to hash the hashes on the server. Consider a website that hashes users' passwords in the user's browser without hashing the hashes on the server. To authenticate a user, this website will accept a hash from the browser and check if that hash exactly matches the one in the database. This seems more secure than just hashing on the server, since the users' passwords are never sent to the server, but it's not.

The problem is that the client-side hash logically becomes the user's password. All the user needs to do to authenticate is tell the server the hash of their password. If a bad guy got a user's hash they could use it to authenticate to the server, without knowing the user's password! So, if the bad guy somehow steals the database of hashes from this hypothetical website, they'll have immediate access to everyone's accounts without having to guess any passwords.

This isn't to say that you shouldn't hash in the browser, but if you do, you absolutely have to hash on the server too. Hashing in the browser is certainly a good idea, but consider the following points for your implementation:

- Client-side password hashing is not a substitute for HTTPS (SSL/TLS). If the connection between the browser and the server is insecure, a man-in-the-middle can modify the JavaScript code as it is downloaded to remove the hashing functionality and get the user's password.

- Some web browsers don't support JavaScript, and some users disable JavaScript in their browser. So for maximum compatibility, your app should detect whether or not the browser supports JavaScript and emulate the client-side hash on the server if it doesn't.

- You need to salt the client-side hashes too. The obvious solution is to make the client-side script ask the server for the user's salt. Don't do that, because it lets the bad guys check if a username is valid without knowing the password. Since you're hashing and salting (with a good salt) on the server too, it's OK to use the username (or email) concatenated with a site-specific string (e.g. domain name) as the client-side salt.
289 天前
回复了 undertow 创建的主题 生活 求美剧推荐
Apple TV+ 刚出的 hijack 不错
311 天前
回复了 yuhuanxi 创建的主题 分享发现 试用了下 arc 浏览器,感觉真不错
@582217 可以 PIN 在 space 里,用 folder 来管理。可以理解为把收藏夹功能做成了 pinned url 的一个特殊情况。
我看易博通有提供短期的大陆 esim 流量套餐,可以去他们微信公众号上看看
332 天前
回复了 qsnow6 创建的主题 问与答 为什么在高速路上保持车距这么难?
@Vegetable #7 我们楼就是的,停车场出口明明只能右转了,但很多人为了少掉头一次就是要逆行那 20 米,还不是个例,据我观察统计学起码一半的车都那么开。
@xclin163 你用的 Windows 还是 Mac ,如果是 Mac 的话有个 AutoSwitchInput 的软件,可以配置进入特定软件自动切到什么输入法。
2023-03-22 17:37:14 +08:00
回复了 luke8beijing 创建的主题 问与答 HELP!求助一个微型图书馆管理软件!
我们公司就是做这个的,是 SaaS 产品,看这个规模可能不要钱。可以通过官网联系一下我们的技术支持。
jiatu.info 顶上选择嘉圕云瀚
2023-03-22 17:35:04 +08:00
回复了 luke8beijing 创建的主题 问与答 HELP!求助一个微型图书馆管理软件!
https://www.jiatu.info/ 顶上选择嘉圕云瀚
关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   952 人在线   最高记录 6679   ·     Select Language
World is powered by solitude
VERSION: · 12ms · UTC 22:28 · PVG 06:28 · LAX 15:28 · JFK 18:28
Developed with CodeLauncher
♥ Do have faith in what you're doing.