Wordpress 存储用户身份验证数据的方式背后的细节是什么?
首先,让我定义最终目标:
我希望使用 Wordpress(版本 2.8)来管理网站的身份验证数据/凭据和访问控制。 该网站的大部分内容将使用 WordPress,但某些页面将在 Wordpress 环境之外构建。 这些页面应该能够使用Wordpress数据库中存储的用户身份验证数据作为参考来做出自己的访问决策。
那么问题来了:
Wordpress 究竟如何在其数据库中存储用户身份验证数据?
这个答案的第一部分很简单,在 Wordpress 数据库中,有一个表保存主要用户数据。 我相信该表的默认名称是“wp_users”,但这可以根据 WordPress 的设置方式进行更改。 该表包含字段“user_login”和“user_pass”,分别保存用户名和密码数据。
“user_login”只是一个纯文本字段,因此很容易访问,但密码经过加盐和散列处理。 这导致仍然需要确定的第一件事:Wordpress 用于生成存储在“user_pass”中的字符串的加盐和哈希过程是什么?
另一个尚未解决的部分是 Wordpress 存储其“角色”的位置/方式。 在我的安装中,这些角色默认为:管理员、编辑者、作者、贡献者和订阅者。 我没有看到这些角色如何与个人用户关联。 另外,这些角色可以改变吗?
因此,回顾一下,真正的问题分为三个部分:
1)Wordpress 使用什么具体方法将用户的纯文本密码转置为存储在“wp_users”数据库表的“user_pass”列中的字符串?
2) 个人用户和他们各自的Wordpress“角色”之间的链接存储在哪里?
3)可以修改Wordpress中的“角色”来更改其名称和/或添加/删除它们吗?
注意:我意识到另一种方法是让非 WordPress 页面检查 Wordpress cookie 以确定访问权限。 我将沿着这些思路创建另一个问题,但就这个问题而言,重点是非 WordPress 页面如何利用实际的 Wordpress 数据库来做出访问控制决策。
First off, let me define the end goal:
I'd like to Wordpress (version 2.8) to manage the authentication data/credentials and access control for a web site. Wordpress will be used for most of the site, but some pages will be built outside of the Wordpress environment. These pages should be able to use the user authenticaion data stored Wordpress database as a reference to make their own decisions about access.
So, the question:
How, exactly, does Wordpress store user authentication data in its database?
The first part of this answer is easy, inside the Wordpress database, there is a table that holds the primary user data. I believe the default name for this table is "wp_users" but that can change based on the way Wordpress is setup. This table contains the fields "user_login" and "user_pass" which hold the username and password data, respectively.
The "user_login" is simply a plain text field, so that is easy enough to access, but the password is salted and hashed. This leads to the first thing that still needs to be determined: what is the salting and hashing process Wordpress uses for generating the strings that it stores in "user_pass"?
The other portion that remains open is where/how Wordpress stores its "roles". In my install, these roles default to: Administrator, Editor, Author, Contributor and Subscriber. What I don't see is how these roles are associated with individual users. Also, can these role altered?
So, to recap, the real question is in three parts:
1) What is the specific method Wordpress uses to transpose users' plain-text passwords to the strings that are stored in the "user_pass" column of the "wp_users" database table?
2) Where are the links between individual users and their respective Wordpress "roles" stored?
3) Can "roles" in Wordpress be modified to change their names and/or add/remove them?
Note: I realize that another approach would be to have non-Wordpress pages check the Wordpress cookie to determine access. I'm going to create another question along those lines, but for purposes of this question the focus is on how non-Wordpress pages can utilize the actual Wordpress database for decisions on access control.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
wp_user_level键下的wp_usermeta表中您可能需要查看bbPress 的代码,因为它将共享 Wordpress 的用户数据库。
wp_usermetatable under thewp_user_levelkeyYou might want to look at the code for bbPress because it will share Wordpress' user database.