用户名可用性安全问题
[英]username availability security concerns
问题描述
In a registration form I have, I put an ajax call to check if the username is available. 
在我的注册表中,我发出了一个ajax调用来检查用户名是否可用。
However, I am concerned that this opens up the system for a bot checking for valid usernames. 但是,我担心这会为机器人检查有效用户名打开系统。
How can I secure the service from external calls? 如何通过外部呼叫保护服务?
Thanks 谢谢
2 个解决方案
解决方案1
5 2010-12-26 21:11:04
How can I secure the service from external calls?
Well... ANY user trying to register would be an "external call"! 嗯......任何试图注册的用户都是“外部呼叫”!
I don't see how username checking would be a security risk. 我不知道用户名检查会如何成为安全风险。 A bot could just register as fsdjiojiejfio and be pretty darn sure nobody took that before. 机器人可以注册为fsdjiojiejfio并且相当确定之前没有人接受过。
I would rather invest time into securing the registration process so that bots cannot register, even with a valid username. 我宁愿花时间确保注册过程,以便机器人无法注册,即使使用有效的用户名。
解决方案2
1 2010-12-26 21:17:39
I presume your concern is that allowing "is this username available?" 我认为你担心的是“这个用户名是否可用?” checks would allow someone with nefarious intent to only have to guess a password to log in, rather than having to guess a username as well. 检查将允许有恶意的人只需要猜测密码登录,而不必猜测用户名。 I think that's a valid concern, though I'm not sure I would worry myself overly about it. 我认为这是一个有效的问题,虽然我不确定我会过分担心它。
The only secure way around this issue, I think, would be to require a captcha before you get to the registration page. 我认为,解决这个问题的唯一安全方法是在进入注册页面之前要求使用验证码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.