堆栈内存溢出
  简体   繁体   English

分析这种用户注册方法

[英]Analyze this user registration approach

 原文  2013-06-14 14:00:02       c#/ asp.net/ asp.net-mvc/ security

问题描述

Consider the following approach regarting an user registration system: 考虑以下有关用户注册系统的方法:

  1. The user fills out a form and send. 用户填写表格并发送。

  2. The system sends an email confirmation to the user and the confirmation link contains all user data (obfuscated). 系统向用户发送电子邮件确认,确认链接包含所有用户数据(混淆)。 

     http://mysite.com/register?name=John&mail=john@john.com&pass=123&etc (obfucated, say, base16).

  3. No registration is actually performed in the system yet. 系统中尚未实际执行注册。

  4. The user clicks the link. 用户单击链接。
  5. The system then finally register the user using the link data. 然后,系统最终使用链接数据注册用户。

What are the failures of that approach? 这种方法有什么失败? Especially in terms of security. 特别是在安全性方面。

I thought this approach in order to avoid the junk columns (such as "activated") in the database. 我认为这种方法是为了避免数据库中的垃圾列(例如“已激活”)。 Such things. 这样的事情。

1 个解决方案

解决方案1
 8 已采纳  2013-06-14 14:14:15

To start, the password should never be passed around. 首先,永远不要传递密码。 As soon as your site collects it, it should be salted, hashed, and stored in the database never to leave again. 您的网站一收集到它,就应该对其进行加盐,散列并存储在数据库中,再也不会丢失。 It definitely shouldn't be emailed or passed in a query string, and for all intents and purposes, encoding is no better than clear text. 绝对不应该通过电子邮件或在查询字符串中传递它,并且出于所有目的和目的,编码并不比纯文本更好。

Second, sensitive data in the querystring should be avoided in general. 其次,一般应避免查询字符串中的敏感数据。 From a security standpoint, you would generate a crypto-secure random token with a short expiration to be sent in the email and use that to identify the user when they return to activate. 从安全的角度来看,您将生成一个具有短有效期的加密安全随机令牌,该令牌将在电子邮件中发送,并在用户再次激活时使用它来识别用户。

I would suggest sticking to the tried and true registration approaches, and just dealing with the extra tables and columns. 我建议您坚持使用久经考验的真正注册方法,并只处理多余的表和列。 Generally speaking, when it comes to security, rolling your own solution is a bad idea (A rule of thumb that I abide by, and I think just about everyone else should too). 一般而言,在安全性方面,推出自己的解决方案是一个坏主意(我遵守的经验法则,我认为其他所有人也应该这样做)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 DotNetNuke对用户注册的自定义操作 - DotNetNuke custom action on user registration 用户注册时未设置 BirthDate 和 BirthDateRaw - BirthDate and BirthDateRaw not set on user registration 用户注册 - 登录代码错误 - User Registration - Login Code Error 检查用户是否在注册页面上 - Checking if user exists on registration page 分析用户资格数据的最佳方法(C#和SQL Server) - Optimal way to analyze user qualifications data (C# and SQL server) C#用户注册表格问题 - C# User Registration Form Issue 注册MVC5后向用户添加角色 - Adding role to user after registration MVC5 访问用户注册向导中的自定义字段 - Access to custom field in user registration wizard 在Identity Server 4中添加自定义用户注册页面 - Adding custom user registration page in Identity Server 4 使用特殊代码确认新用户注册 - Using special code to confirm new user registration
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM