我正在使用Mojolicious Web框架来构建一个小型站点。我的目标是强大的安全性。第一步是保护登录信息,主要是用户名和密码。我想实现这篇文章Username, Password, Salting, Encrypting, Hash - How does it all work?的提问者给出的逻辑。在通过互联网将用户名和密码发送到Mojolicious Web服务器之前,必须至少将用户名和密码加密并在用户的浏览器中进行散列。我认为最好的方法是使用嵌入式perl来操作表单值,然后重新分配它们,这样当按下“提交”按钮时只有盐水和散列用户名,密码就会在控制器内部接收:mojolicious中的逻辑就像(复制)来自Mojolicious网站.MyUsers.pm处理服务器上的登录验证,我将调整它以处理盐渍和散列字符串。)
#!/usr/bin/env perl
use Mojolicious::Lite;
use lib 'lib';
use MyUsers;
# Helper to lazy initialize and store our model object
helper users => sub { state $users = MyUsers->new };
# /?user=sri&pass=secr3t
any '/' => sub {
my $self = shift;
$self->render('login');
};
any '/' => sub {
my $self = shift;
$self->render('login');
};
any 'check_login' => sub {
my $self = shift;
# Query parameters
my $user = $self->param('user') || '';
my $pass = $self->param('pass') || '';
# Check password
return $self->render(text => "Welcome $user.")
if $self->users->check($user, $pass);
# Failed
$self->render(text => 'Wrong username or password.');
};
app->start;
__DATA__
@@ login.html.ep
% title 'Login Page.';
<form name="input" action="check_login" method="post">
User: <input type="text" name="user"><div>
Pass: <input type="password" name="pass"><div>
<!-- DO SOMETHING HERE to salt and hash $user and $pass before post -->
<input type="submit" value="Submit">
</form>