简体繁体 English

这是一个合理的用户注册流程吗？

[英]Is this a reasonable user registration process?

原文 2009-02-17 20:19:44 0 10 authentication/ web-applications

I'm working on a registration process for an internal application. 我正在为内部应用程序进行注册过程。 My initial design is below. 我的初步设计如下。

My main question is whether it's really necessary to include a registration_confirmation_code . 我的主要问题是是否真的有必要包含registration_confirmation_code 。 Does it protect the app from a realistic threat or just add unnecessary complexity? 它是否可以保护应用程序免受现实威胁或仅增加不必要的复杂性？ I'm not sure about that. 对此我不确定。

User enters email address. 用户输入电子邮件地址 Since this is an internal app, it has to be an agency address. 由于这是一个内部应用程序，它必须是代理地址。
If it's a valid agency address, app creates a new row in the users table. 如果它是有效的代理商地址，则app会在users表中创建一个新行。
- The table has a column registration_confirmed which is false by default. 该表有一个registration_confirmed列，默认为false 。 App won't let a user log in unless registration_confirmed is true . 除非registration_confirmed为true ，否则应用程序不会让用户登录。
- The table has a column registration_confirmation_code which is a randomly-generated string. 该表有一个registration_confirmation_code列，它是一个随机生成的字符串。
App sends an email to the address the user entered. 应用程序向用户输入的地址发送电子邮件。 It contains a link to a page that will let the user confirm their registration and set their username and password. 它包含指向允许用户确认其注册并设置其用户名和密码的页面的链接。
The link has the user's id and registration_confirmation_code in the query string: 该链接在查询字符串中包含用户的id和registration_confirmation_code ：
http://agencydomain.com/users?id=123&registration_confirmation_code=fab49dk34nw97d
By clicking on the link the user verifies that the address they entered is valid and that they have access to it. 通过单击链接，用户可以验证他们输入的地址是否有效以及他们是否有权访问该地址。
The app finds the user by ID. 应用程序按ID查找用户。 Before allowing them to visit the page where they can set their username and password, the app checks that... 在允许他们访问可以设置用户名和密码的页面之前，应用程序会检查...
- registration_confirmed is false . registration_confirmed为false 。 They should only be able to confirm their registration once. 他们应该只能确认一次注册。
- registration_confirmation_code request param matches the value in the DB for that user. registration_confirmation_code请求参数匹配该用户的DB中的值。 That ensures this is a legitimate registration confirmation by the intended user and not someone else hitting the URL with random IDs trying to hijack a registration. 这确保了这是目标用户的合法注册确认，而不是其他人用试图劫持注册的随机ID命中URL。
If everything checks out, the app takes them to a page with a form for setting their username and password. 如果一切都结束，应用程序会将他们带到一个页面，其中包含用于设置用户名和密码的表单。
When they submit the form with valid data, app sets registration_confirmed to true and they are registered. 当他们使用有效数据提交表单时，app会将registration_confirmed设置为true并进行注册。

10 个解决方案

Don't trust people even if they are internal to your organization. 即使他们是您组织的内部人员，也不要相信他人。 It sounds bad but unless you're dealing with a very small group, your method is a wise choice. 听起来很糟糕，但除非你和一个非常小的团队打交道，否则你的方法是明智的选择。

One more thing, you may want to ensure their email is unique. 还有一件事，您可能希望确保他们的电子邮件是唯一的。

Another approach is using a centralized authentication and skipping the whole registration process. 另一种方法是使用集中式身份验证并跳过整个注册过程。

On first login attempt, create a user profile from a template. 首次登录尝试时，从模板创建用户配置文件。

Authentication can be done a number of ways. 身份验证可以通过多种方式完成。 Ideally, something like LDAP (or Active Directory if that's how you swing). 理想情况下，像LDAP（或Active Directory，如果这就是你如何摆动）。 It's also possible to use the mail server for authentication, depending on how it is configured. 也可以使用邮件服务器进行身份验证，具体取决于其配置方式。

It's a good practice to verify any kind of input you receive from a visitor. 验证从访问者处收到的任何类型的输入都是一种很好的做法。 Rule of thumb is to always make sure you're getting what you expect, and nothing else. 经验法则是始终确保你得到你所期望的，而不是别的。 I'd say you're doing it well, including email verification. 我会说你做得很好，包括电子邮件验证。

A small question though; 但是一个小问题; why make it a two-step process? 为什么要把它分为两个步骤？ why not allow the user to enter a password right away? 为什么不允许用户立即输入密码？ This usually feels much more comfortable for the user. 这通常对用户来说感觉更舒服。

Also, instead of using registration_confirmation_code, you might want to consider using a MD5 hash (or the like) of the users' email address. 此外，您可能还需要考虑使用用户电子邮件地址的MD5哈希（或类似内容），而不是使用registration_confirmation_code。 That way, you don't need the extra field, and you can even leave out the ID if you like. 这样，您不需要额外的字段，如果您愿意，甚至可以省略ID。

-Dave 戴夫

The OpenID system was basically invented to solve this problem. OpenID系统基本上是为解决这个问题而发明的。 Basically, someone comes to your site and says "I am XYZ, and you can verify that by checking with ABC". 基本上，有人来到您的网站并说“我是XYZ，您可以通过ABC检查验证”。 You then have their OpenID provider (which would probably be a server in your company; if you have LDAP you're already most of the way there) verify they are who they say they are (by them logging into the OpenID provider's site). 然后你有他们的OpenID提供者（可能是你公司的服务器;如果你有LDAP，你已经大部分在那里），验证他们是谁（他们登录到OpenID提供商的网站）。 If you can trust the OpenID provider, and the OpenID account hasn't been compromised, then you've just verified your user. 如果您可以信任OpenID提供商，并且OpenID帐户尚未受到损害，那么您刚刚验证了您的用户。 You can probably get away without a formal registration process... just send them to the account setup screen (assuming you need more than the password + email in your example, as both of those are provided via OpenID) on their first login. 您可以在没有正式注册过程的情况下离开...只需将它们发送到帐户设置屏幕（假设您首次登录时需要的不仅仅是密码+电子邮件，因为这两个都是通过OpenID提供的）。

Note that OpenID can only verify that the user has the credentials for the given OpenID, not that the user is unique, or that they are who they say they are. 请注意，OpenID只能验证用户是否具有给定OpenID的凭据，而不是用户是唯一的，或者他们是否是他们所声称的人。 But this is really no different than any existing scheme. 但这与任何现有方案没有什么不同。

It has the advantages of not requiring the user to give you a password they might forget (and they can change their password with the OpenID provider and it will be changed for all their sites that use OpenID). 它的优点是不需要用户提供他们可能忘记的密码（他们可以使用OpenID提供商更改密码，并且将对所有使用OpenID的网站进行更改）。 There are OpenID libraries available for most major languages, and rolling your own shouldn't be too complex. 有大多数主要语言都可以使用OpenID库，而自己编辑也不应该太复杂。

You do seem to be going through an awful lot of effort for an internal application? 您似乎正在为内部应用程序花费大量精力？ How much fraud are you expecting? 你期待多少欺诈？

I like sites that use the email address as the login id. 我喜欢使用电子邮件地址作为登录ID的网站。 Also, why not get the password up front when they register? 另外，为什么不在注册时预先获得密码？

Protecting your application from even-less-verified-than-usual users is a good thing, but even better is that you're protecting random people from being spammed with email from your system. 保护您的应用程序免受经常验证的用户的影响是件好事，但更好的是保护随机用户免受来自您系统的电子邮件的垃圾邮件。 By requiring opt-in, you're ensuring that X can't sign up for your service claiming to be Y, and causing email to be sent to Y every time you'd like to contact the user. 通过要求选择加入，您确保X无法注册声称为Y的服务，并且每次您想要联系用户时都会将电子邮件发送给Y. It also gives Y the opportunity to say "what? no, this isn't me" and click reject, send an ARF report, or otherwise let you know that someone is having you on. 它还让Y有机会说“什么？不，这不是我”，然后点击拒绝，发送ARF报告，或以其他方式让你知道某人有你。

If you collect email addresses, you should always verify them. 如果您收集电子邮件地址，则应始终验证它们。

You still need to send them a confirm code via email. 您仍然需要通过电子邮件向他们发送确认代码。

Depending on the app, you dont want people signing up using a coworkers email address. 根据应用程序的不同，您不希望人们使用同事电子邮件地址注册。

i'd let the user in right after they click the link from the email, and send them a dummy pass that they can change later. 我会让用户在点击电子邮件中的链接后立即进入，并向他们发送一个他们可以在以后更改的虚拟通行证。 (use email for username) （使用用户名的电子邮件）

this eliminates one step from the process, and makes registration that much easier. 这消除了该过程的一个步骤，并使登记更容易。

The only 'attack' you are addressing through email confirmation, is registering new accounts using random email addresses. 您通过电子邮件确认解决的唯一“攻击”是使用随机电子邮件地址注册新帐户。

IOW, if you leave that step out, an 'attacker' could: 如果你离开那一步，“攻击者”可以：

register accounts using just random gibberish addresses 使用随机乱码地址注册帐户
register accounts using other people's addresses 使用其他人的地址注册帐户

Fortunately, in most applications, such an attack isn't very destructive. 幸运的是，在大多数应用程序中，这种攻击不是非常具有破坏性。 It may help the attacker forge someone else's identity in a social networking app, or make life slightly easier for a spambot, or it could be used just to annoy the legitimate owner of an email address -- but that's about it. 它可以帮助攻击者在社交网络应用程序中伪造别人的身份，或者让生活稍微容易一点，或者它可以用来惹恼电子邮件地址的合法所有者 - 但这就是它。

I'd say keep the registration requirement just in case, but scrap the two-step process (let the users create username+password right away). 我要说保留注册要求以防万一，但废弃两步过程（让用户立即创建用户名+密码）。