[英]time sensitive token system?
Is there a way to be able to send a link through an email that includes a url parameter that verifies the link was sent by the server, and verifies that the link was clicked with a certain period of time after the token was generated?有没有办法能够通过包含 url 参数的 email 发送链接,该参数验证链接是由服务器发送的,并验证链接是否在生成令牌后的一段时间内被点击?
You can do the following procedure:您可以执行以下过程:
when the user access your server, you:当用户访问您的服务器时,您:
You simply need a table to store the token,email addresss,date generated, date activated您只需要一个表来存储令牌、email 地址、生成日期、激活日期
when you generate the email you store the token email & generated date/time当您生成 email 时,您将存储令牌 email 和生成的日期/时间
in the email you put a url that contains a link to your web page and the token & email.在 email 中,您放置了一个 url ,其中包含指向您的 web 页面的链接以及令牌和 Z0C83ZA57C7831C7EB2B eg:
例如:
http://mysite.co.uk/activate.aspx?token=jhsdjsdslkwww7474&email=blah@blah.com
The web page then has to find the token and email address check the date and update the date activated if it is valid.然后 web 页面必须找到令牌,并且 email 地址检查日期并更新激活的日期(如果有效)。
I would store a random UUID in a distributed cache (for load balanced, multi-node system) and proceed as what woliveirajr mentioned above.我会将随机 UUID 存储在分布式缓存中(用于负载平衡的多节点系统)并按照上面提到的 woliveirajr 进行。 You also need to make sure that users will not abuse your system, so having some provisioning in Load-balancer (F5) to detect human vs. programmatic requests will help introducing a level of protection.
您还需要确保用户不会滥用您的系统,因此在负载平衡器 (F5) 中进行一些配置以检测人为请求与程序请求将有助于引入一定程度的保护。 Modify your security policy as you deem necessary.
根据需要修改您的安全策略。
If a system was developed to generate unique keys, email out those keys and accept http requests from the email with those keys.如果开发了一个系统来生成唯一密钥,则 email 取出这些密钥并使用这些密钥接受来自 email 的 http 请求。 Then yes.
好的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.