这是不特定的一些JavaScript的细节问题，但我正在寻找的验证，有，我已经创造了在模型中没有明显的漏洞。我决定推出自己的认证程序（除了使用bcrypt在后端散列），它会像这样的：

This is not a question specific about some javascript detail but I'm looking for validation that there are no obvious holes in the model that I've created. I decided to roll my own authentication routine (except for using a bcrypt to hash in the backend) which will work like this:

在用户（浏览器或PhoneGap的创建本机应用程序）报>使用jQuery AJAX后端使用bcrypt处理密码并保存密码的用户配置文件数据的JSON对象发布 在后台生成，保存与客户端IP地址，它会返回（随机哈希值，如/ dev / urandom的）的标记 在jQuery插件存储令牌到本地的cookie 在当前一些请求时（帖子，评论，无论但不要过于频繁），它得到令牌的Cookie，并补充说，到JSON和岗位再次使用Ajax 在后台检查令牌存在，并没有过期（有效期为7天），检查该IP地址是一样的，如果确定验证请求JSON数据并处理请求 当令牌已过期登录屏幕显示和证书张贴Ajax和创建第2步一个新的令牌。

一切顺利通过SSL进行Ajax请求，没有密码存储在任何地方。还有一个机制，检查蛮力令牌垃圾邮件阻断源IP，如果暂时超过阈值。这不是一个高安全性应用程序，但要尊重用户的数据，并确保它的安全够了。

Everything goes through ssl for ajax requests and no passwords are stored anywhere. There is also a mechanism checking for brute force token spamming blocking the source ip temporarily if threshold exceeded. This is not a high security app but want to respect users data and make sure it's secure "enough".

我希望这个问题的资格，即使它不是具体工作，为别人是否会引发一些讨论的参考。我无法找到这个特殊的方法的任何最佳实践教程。

I hope the question qualifies even though it's not specific and work as a reference for someone else if it will spark some discussion. I couldn't find any best practice tutorials on this particular approach.

更新：根据所接收的，因为它的反馈更新所述的认证机制似乎是足够安全'为一个非关键web应用

UPDATE: The authentication mechanism updated according to the feedback received as it seems to be 'secure enough' for a non-critical web application.

推荐答案

我曾试图掩盖一切，我能想到的，从高层次的角度来看，因为你说你的应用程序是不是一个高安全性的应用程序，你要基本到位的安全控制。

I have tried to cover everything that I could think of from a high level perspective, given that you said your application isn't a high security app, and you want the basic security controls in place.

认证流程，并且它使用的机制似乎没什么问题。唯一的关注点我在这里看到的是会话管理本身。生成使用MD5是罚款会话令牌（具体取决于您是否使用了正确的伪随机函数，其接种的正确方法），虽然SHA1 / SHA256可能是更好的选择，如果有谁试图为您的令牌碰撞。

The authentication flow, and the mechanism that it is using seems fine to me. The only point of concern I see here is the session management itself. Generating a session token using MD5 is fine (depending on whether you are using the correct pseudo random functions, which are seeded the correct way), though SHA1/SHA256 might be better choices if anyone ever tries to create a collision for your tokens.

我看到了一些东西在这里失踪 - 他们可能会被省略，否则可能会在那里，所以我会提到他们。的第一件事 - 你没有提到你是否保证有您收到的cookie中的用户之间的匹配，和。你需要确保这两个比赛，让一个用户可以不偷第二个用户的会话。

I see a few things missing here - they might be omitted, or they might not be there, so I will mention them all. The first thing - you have not mentioned whether you ensure that there is a match between the user, and the cookie that you received. You need to make sure those two match, so that one user cannot steal a second user's session.

我看在这里失踪的第二件事是验证的cookie不从，这是从用户被盗。举例来说，如果我设法窃取用户的会话cookie，并重播它在我自己的电脑从一个不同的地方，我仍然可以登录，与当前会话处理机制。

The second thing I see missing here is validation that the cookie is NOT stolen from the user that it was from. For example, if I managed to steal the session cookie from a user, and replayed it on my own computer from a different place, I would still be able to login, with the current session handling mechanism.

您需要一种方法来唯一标识计算机的要求是从哪里来的 - 一种方式来做到这一点（和方式，称为PHP框架codeIgniter做它）是通过验证的IP地址，以及该用户代理请求的来源。后者很容易伪造，但前者是更难。这使您的会议更具弹性的攻击 - 除非应用程序是用在公共计算机上的网吧，并且用户还没有注销

You need a way to uniquely identify which computer the request is coming from - one way to do it (and the way that a PHP framework called CodeIgniter does it) is by verifying the IP address, as well as the User Agent that the request is coming from. The latter is easy to spoof, but the former is much harder. This makes your session more resilient to attacks - unless the application is used in a internet cafe on a public machine, and the user has not logged off.

这使我想到我的最后一点 - 我没有看到一个日志在这里提到的机制，以及如何注销执行。其基本假设是，你会会话cookie只要用户注销作废，你不要再接受会话cookie。如果你还没有这样做了，这是别的东西，你可以做，以确保您的会话的安全性。

That brings me to my final point - I don't see a log out mechanism mentioned here, and how the log out is performed. The basic assumption would be that you would invalidate the session cookie as soon as the user logs out, and you don't accept that session cookie again. If you haven't done this already, that is something else you can do to ensure your session's security.