问题
I want to hash the username for using it in the setcookie function (for setting up a persistent login mechanism).
Is it enough to hash the username with sha1, or do you think I should resort to more advanced solutions?
I have heard about PHPpass, but I think this is recommended for passwords only, as it something more advanced.
What do you think?
回答1:
I think sha1 should be fine. Just prepend or append some string to the username and do the sha1 hashing. That will work.
回答2:
Persistent login should never be based on information an attacker could know.
If you must use a persistent login, you need to create a unique, cryptographically random value to assign to that cookie, and create a matching record in your database to check against. If you're on a Unix-based operating system, /dev/urandom should work great as a source. If you absolutely can't find a good source of truly random data, PHP's uniqid function could suffice.
It would probably be a good idea to generate a new persistent token on each initial visit as well to prevent semi-permanent fixation from an attacker.
来源:https://stackoverflow.com/questions/12427817/is-hashing-the-username-in-a-cookie-safe-enough-for-a-persistent-login-mechanism