问题
In my login page I log in through username and password (that I get from a jsp page), then I check LDAP and if the credentials are correct, then I continue the browsing to other pages.
I would like to store somewhere username and password, because in some next pages, I may need them to make other stuff.
I was thinking to store them in the session, but I'm scared that this can bring to security issue. Am I wrong? Maybe is it better to store them in the DB and query the DB the every times that I need them, and storing in the session just an ID that point to a DB record? (this could be ok, but maybe exist faster and better ways)
Which is the best way to store them from action to action?
回答1:
Different passwords for different places
You should use different passwords for your web application and LDAP. Like now, an attacker that discovers the LDAP password automatically gains access to your application, and viceversa.
Force the user (that usually wants the same password everywhere because it's easy to remember) to choose a different password by checking its equality (against the LDAP one) when creating a new password in your webapp.
Never save passwords
You should not save users passwords anywhere, because anyone with database access would be able to retrieve all the passwords.
The correct way to go is not encryption, but one-way hashing (better with Salt, to prevent Rainbow Tables attacks):
- hash the password when the user creates it, then save the result on db.
- when the user logs in, hash the password he enters, then check the resultant hash against the hash in the database.
- if the user forgets the password, reset it and ask him to pick a new one.
In Java one of the best implementations out there is jBCrypt, based on BCrypt.
Always prefer char[] to String for password handling
Because it's more safe for different reasons Jon Skeet said it :)
来源:https://stackoverflow.com/questions/22255325/struts2-how-to-store-safety-username-and-password-from-action-to-action