匹配密码与前端或后端?
[英]Matching Passwords with Front-End or Back-End?
问题描述
Does anyone have any information on the industry-standard or best practice for checking matching passwords (eg Gmail's "passwords do not match" feedback")? Is it a back-end, front-end or client-side process? Or is it completely based on other factors? 
有没有人有关于检查匹配密码的行业标准或最佳做法的任何信息(例如Gmail的“密码不匹配”反馈“)?它是后端,前端还是客户端流程?还是完全?基于其他因素?
Here is an example of the code that I am using (Python with Bottle ) to sign up a user. 以下是我使用的代码示例(Python with Bottle )来注册用户。 The code works, but I am unsure whether I should provide a flash message from the back-end (where it returns "Passwords do not match") or would it be better to use something like JS? 代码有效,但我不确定是否应该从后端提供flash消息 (返回“密码不匹配”)或者使用像JS这样的东西会更好吗? I know that there are scripts out there to validate this, but they are all JS. 我知道有一些脚本可以验证这一点,但它们都是JS。 My question is not how to do it with JS, but which is the preferred method. 我的问题不是如何使用JS,但这是首选的方法。
@route('/suser', method='POST')
def sign_suser():
cemail = request.forms.get('semail')
cpassword1 = request.forms.get('spass1')
cpassword2 = request.forms.get('spass2')
ctype = request.forms.get('stype')
if cpassword1 != cpassword2:
return "<p>Passwords do not match</p>"
else:
pwhash = crypt(cpassword1)
connection = sqlite3.connect("whatever.db")
cursor_v = connection.cursor()
cursor_v.execute("insert into users (cemail, cpassword, atype) values (?,?,?)", (cemail,pwhash,ctype))
connection.commit()
cursor_v.close()
info = {'status': 'User Added',
'type': 'success'}
return template('whatever',info)
2 个解决方案
解决方案1
17 已采纳 2017-02-12 18:00:14
Checking if two password fields match during a sign up should be purely done with client-side logic. 在注册期间检查两个密码字段是否匹配应该完全由客户端逻辑完成。 It is provided as a safety against a user mistakenly inserting a typo into their password. 它是为了防止用户错误地在其密码中插入拼写错误而提供的。 A server-side check is pointless, as your client will have prevented it and if your user is a tech savvy individual that does everything with curl then it's on them if they mess up. 服务器端检查是没有意义的,因为您的客户端会阻止它,如果您的用户是精通技术的个人,使用curl做所有事情,那么如果他们陷入困境就会对他们进行检查。
Also I will expand on your question about best practices. 此外,我将扩展您关于最佳做法的问题。 You should not immediately save the user in your database without them first verifying via a link, usually sent to their email, that it is valid. 如果没有用户首先通过链接进行验证(通常是发送到他们的电子邮件),则不应立即将用户保存在数据库中。 Remember: never trust anything provided by the user. 记住:永远不要相信用户提供的任何东西。
解决方案2
-1 2017-02-12 17:15:27
You need to distinguish between two cases: 您需要区分两种情况:
- You are not able to validate the value without using a database or any non-sharable technique in the back-end. 如果不在后端使用数据库或任何不可共享的技术,则无法验证该值。 In this case, you're only possibility is to check it in the back-end (with eg an Ajax call or a communication over WebSockets). 在这种情况下,您只能在后端检查它(例如通过Ajax调用或通过WebSockets进行通信)。 Examples for this kind of validation are: username/password validation or anything which needs a connection to a database, a proprietary algorithm to check a value with a logic which cannot be published 此类验证的示例包括:用户名/密码验证或需要连接到数据库的任何内容,用于检查具有无法发布的逻辑的值的专有算法
- You can validate the value without checking it first in the back-end (database). 您可以在不在后端(数据库)中首先检查它的情况下验证该值。 In this case, you can move the check for performance reasons to the front-end/client side. 在这种情况下,您可以将性能检查的检查移至前端/客户端。 You still have to protect the back-end against incorrect values (in case of an attack, corrupt JavaScript etc.) Examples for this kind of check are eg email address validation, phone number validation etc. 您仍然必须保护后端免受不正确的值(如果发生攻击,损坏JavaScript等)。此类检查的示例包括电子邮件地址验证,电话号码验证等。
For 1 , I would just use a regular connection to the back-end either when submitting the value or while typing (if the response from the back-end is fast enough). 对于1 ,我只是在提交值或键入时(如果后端的响应足够快)使用常规连接到后端。
For 2 , you have several options: 2 ,你有几个选择:
- Do it like in 1 . 就像在1中一样 。 Make a back-end check either while submitting or during the input. 在提交时或在输入期间进行后端检查。 This may have some performance issues though (mainly if you are checking it on key down). 这可能会有一些性能问题(主要是如果您在按键时检查它)。 If you are checking it after submitting, the validation is not real time. 如果您在提交后进行检查,则验证不是实时的。
- Do it with separate validations on the front-end side and the back-end side. 在前端和后端进行单独验证。 If you are doing. 如果你在做。 This is not recommended. 不建议这样做。 You are duplicating code between the front-end and the back-end. 您正在复制前端和后端之间的代码。 Avoid it as often as possible. 尽可能经常避免。
- Do it with shared validation patterns in the front-end and the back-end. 在前端和后端使用共享验证模式。 This is my recommended way of validating values. 这是我推荐的验证值的方法。 This validation works best, if the checks are done with regular expressions (regex). 如果使用正则表达式(正则表达式)进行检查,则此验证效果最佳。 The back-end has a Map() of patterns which are provided over an interface to the front-end. 后端有一个Map()模式,通过前端接口提供。 The patterns are loaded initially, when the web applications is loaded and are then present during the runtime of the application. 最初在加载Web应用程序时加载模式,然后在应用程序的运行时期间存在这些模式。 This makes sure, that the validations are always the same on the back-end and front-end side. 这可以确保后端和前端的验证始终相同。
Your example however comprises of the matching of two passwords (equality check). 但是,您的示例包含两个密码的匹配(相等检查)。 This is a special case, because you cannot use a regular expression to check the validity of the value. 这是一种特殊情况,因为您无法使用正则表达式来检查值的有效性。 This precludes the recommended case from above and leaves the two other mentioned solutions. 这排除了上面推荐的情况,并留下了另外两个提到的解决方案。
If your sole purpose is to compare the two values, I would recommend to duplicate the logic. 如果您的唯一目的是比较这两个值,我建议复制逻辑。 Duplicating is in this case (imho) somewhat justified because the check is very simple and not likely to be changed over time. 在这种情况下复制(imho)有点合理,因为检查非常简单并且不可能随时间改变。 Making a check to the back-end to soley check for equality is (imho) overstated. 对后端进行检查以检查是否相等是(imho)夸大其词。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.