[英]Matching Passwords with Front-End or Back-End?
Does anyone have any information on the industry-standard or best practice for checking matching passwords (eg Gmail's "passwords do not match" feedback")? Is it a back-end, front-end or client-side process? Or is it completely based on other factors? 有没有人有关于检查匹配密码的行业标准或最佳做法的任何信息(例如Gmail的“密码不匹配”反馈“)?它是后端,前端还是客户端流程?还是完全?基于其他因素?
Here is an example of the code that I am using (Python with Bottle ) to sign up a user. 以下是我使用的代码示例(Python with Bottle )来注册用户。 The code works, but I am unsure whether I should provide a flash message from the back-end (where it returns "Passwords do not match") or would it be better to use something like JS?
代码有效,但我不确定是否应该从后端提供flash消息 (返回“密码不匹配”)或者使用像JS这样的东西会更好吗? I know that there are scripts out there to validate this, but they are all JS.
我知道有一些脚本可以验证这一点,但它们都是JS。 My question is not how to do it with JS, but which is the preferred method.
我的问题不是如何使用JS,但这是首选的方法。
@route('/suser', method='POST')
def sign_suser():
cemail = request.forms.get('semail')
cpassword1 = request.forms.get('spass1')
cpassword2 = request.forms.get('spass2')
ctype = request.forms.get('stype')
if cpassword1 != cpassword2:
return "<p>Passwords do not match</p>"
else:
pwhash = crypt(cpassword1)
connection = sqlite3.connect("whatever.db")
cursor_v = connection.cursor()
cursor_v.execute("insert into users (cemail, cpassword, atype) values (?,?,?)", (cemail,pwhash,ctype))
connection.commit()
cursor_v.close()
info = {'status': 'User Added',
'type': 'success'}
return template('whatever',info)
Checking if two password fields match during a sign up should be purely done with client-side logic. 在注册期间检查两个密码字段是否匹配应该完全由客户端逻辑完成。 It is provided as a safety against a user mistakenly inserting a typo into their password.
它是为了防止用户错误地在其密码中插入拼写错误而提供的。 A server-side check is pointless, as your client will have prevented it and if your user is a tech savvy individual that does everything with curl then it's on them if they mess up.
服务器端检查是没有意义的,因为您的客户端会阻止它,如果您的用户是精通技术的个人,使用curl做所有事情,那么如果他们陷入困境就会对他们进行检查。
Also I will expand on your question about best practices. 此外,我将扩展您关于最佳做法的问题。 You should not immediately save the user in your database without them first verifying via a link, usually sent to their email, that it is valid.
如果没有用户首先通过链接进行验证(通常是发送到他们的电子邮件),则不应立即将用户保存在数据库中。 Remember: never trust anything provided by the user.
记住:永远不要相信用户提供的任何东西。
You need to distinguish between two cases: 您需要区分两种情况:
For 1 , I would just use a regular connection to the back-end either when submitting the value or while typing (if the response from the back-end is fast enough). 对于1 ,我只是在提交值或键入时(如果后端的响应足够快)使用常规连接到后端。
For 2 , you have several options: 2 ,你有几个选择:
Your example however comprises of the matching of two passwords (equality check). 但是,您的示例包含两个密码的匹配(相等检查)。 This is a special case, because you cannot use a regular expression to check the validity of the value.
这是一种特殊情况,因为您无法使用正则表达式来检查值的有效性。 This precludes the recommended case from above and leaves the two other mentioned solutions.
这排除了上面推荐的情况,并留下了另外两个提到的解决方案。
If your sole purpose is to compare the two values, I would recommend to duplicate the logic. 如果您的唯一目的是比较这两个值,我建议复制逻辑。 Duplicating is in this case (imho) somewhat justified because the check is very simple and not likely to be changed over time.
在这种情况下复制(imho)有点合理,因为检查非常简单并且不可能随时间改变。 Making a check to the back-end to soley check for equality is (imho) overstated.
对后端进行检查以检查是否相等是(imho)夸大其词。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.