简体繁体 English

将两个用户帐户链接在一起

[英]Linking two user accounts together

原文 2016-02-27 14:29:28 0 2 php/ user-accounts

I am building a method for users of my website to link their accounts together, so that resources can be shared between them. 我正在为网站用户建立一种将他们的帐户链接在一起的方法，以便可以在他们之间共享资源。 My process so far is: 到目前为止，我的过程是：

1) User enters email addresses of users he wants to link with. 1）用户输入要链接的用户的电子邮件地址。
2) If matches are found, these users receive an email. 2）如果找到匹配项，这些用户将收到一封电子邮件。
3) Email contains a confirmation link. 3）电子邮件包含确认链接。 If the recipient clicks this, the connection between the two accounts will be formed. 如果收件人单击此按钮，将在两个帐户之间建立联系。

I'm wondering how secure I need to be with this final step. 我想知道最后一步需要确保的安全性。 My confirmation link is in the format: domain.com/link-confirm.php?fromid=xxx&toid=yyy 我的确认链接的格式为： domain.com/link-confirm.php?fromid=xxx&toid=yyy

In theory, it would be possible for anyone to spoof this link, if they knew the user id of their target, thus setting up a connection without permission. 从理论上讲，任何人都可以欺骗此链接（如果他们知道目标的用户ID），从而在未经许可的情况下建立连接。

I tried hashing both user ids, then scanning through the user database for matches, but the password_verify function takes so long to run that the page times out (and that's with only 1000 users). 我尝试对两个用户ID进行哈希处理，然后在用户数据库中进行扫描以查找匹配项，但是password_verify函数运行所需的时间太长，导致页面超时（只有1000个用户）。

What I would like to know is: Does my plan above make sense? 我想知道的是：我的上述计划有意义吗？ Is there a neater way of doing it? 有没有更整洁的方法？ Am I right to be concerned about the spoofing (connecting the accounts does not in itself share any data between users, it merely makes it possible for either user to initiate)? 我是否应该担心欺骗（连接帐户本身并不在用户之间共享任何数据，而只是使任何一个用户都可以发起）？

Thanks 谢谢

2 个解决方案

You can just encrypt both id values and after obtaining it from get - decrypt them, hashes don't need to be used here. 您可以只对两个id值进行加密，然后从get中获取它-对它们进行解密，则此处不需要使用哈希。 That way it will take thousands of years for somebody to brute force spoof them. 那样的话，有人要用数千年的时间强行欺骗他们。

What you could do is generate some unique data per account linking request and require that unique data to be sent with the linking acceptance request. 您可以做的是为每个帐户链接请求生成一些唯一数据，并要求将唯一数据与链接接受请求一起发送。

So for example user A requests to link with user B, you store the request with some unique data like a random hash and a timestamp, and then when user B clicks "accept" in his email, he is sent to a page on your server. 因此，例如，用户A请求与用户B链接，您将请求存储有一些唯一数据，例如随机哈希和时间戳，然后当用户B单击电子邮件中的“接受”时，他被发送到服务器上的页面。 The link in the email contained the unique data that is submitted to the page. 电子邮件中的链接包含提交到页面的唯一数据。 You check if the unique data is indeed the data that was generated when user A submitted the request, and, if so, boom, users linked. 您检查唯一数据是否确实是用户A提交请求时生成的数据，如果是，则链接用户。