Can you do the user login function on the web?

The user login function on the web should be the most basic function, but after I have seen some site's user login function, I feel it is necessary to write an article to teach you how to do user login function. The following article tells you that this feature may not be as simple as you think, this is a relationship with user security features, I hope you can learn from the following article what kind of method is a good user login function. The following content, please keep the original text, please indicate the author and source.

user name and password

First, let's talk about user names and passwords first. This is not the first time this station has talked about it. How to manage your password let you know how to manage your password, break your password let you know that in the modern speed of the calculation speed, the use of poor to crack your password can be a very easy thing. Here I would like to tell you from the developer's point of view to do the design of this user name and password. Here are a few rules:

Restrict user input to passwords that are very easily cracked. Like what qwert,123456, password, and so on, as Twitter limits the user's password to make a password blacklist. In addition, you can limit the length of user password, whether there is case, whether there are numbers, you can use your program to do a check. Of course, this may make users feel uncomfortable, so, many websites now provide UX to let users know what the password strength is (such as this interesting UX), so that users have a choice to tell the user-to be safe, set the password a little better.

Never save a user's password in clear text. As with how to manage your password, many times, users log on to many sites with the same password for the same ID. So, if your site is explicitly saved, then if your data is being circulated by your bad employees, that's disastrous for the user. Therefore, the user's password must be encrypted to save, preferably with irreversible encryption, such as MD5 or SHA1, such as the hash algorithm is an irreversible encryption algorithm. CSDN Zeng Mingwen saved the user's password. (another, for the conduct of domestic companies and the management of the relevant departments, I do not dare to ensure that the domestic site encrypted to save your password.) I think, as a conscientious person, we should encrypt the password to save the user.

Whether to have the browser save the password. We have more than n ways to keep the user name and password from being saved by the browser. But this may be very unpleasant for users. Because in the real world no one can remember so many passwords. Many users may use password management tools to save passwords, and browsers are just one of them. Whether to let the browser save this requires you to make a decision, the focus is to see if your system security level requirements are higher, if so, do not let the browser to save the password, and the site in the obvious location to tell users-the safest place to save passwords only your brain.

Password transmission on the Internet. Because HTTP is a plaintext protocol, user names and passwords are sent on the Internet, which is not safe. You can take a look at this article and you'll see. You must use the HTTPS protocol to encrypt the transmission. However, in China there are still many Web sites that use ActiveX controls for Web logons, which may be a significant reason for IE6. I usually understand that these ActiveX controls are for the purpose of the anti-Keylogger program. However, I still feel that ActiveX controls should not exist because ActiveX controls are not visible in many of the most secure and important sites abroad.

User logon Status

First of all, I would like to tell you that, because HTTP is a stateless protocol, that is, the protocol is unable to record the user access state, each request is independent and unrelated, a sum is a sum. And our site is designed to multiple pages, the page jump process we need to know the user's state, especially the user login status, so that we do not know after the page jump to let users have the right to operate some functions or to view some data.

Therefore, each of our pages need to authenticate the identity of the user. Of course, it is impossible for users to enter user names and passwords on each page, which can make users feel that our site is quite sb. In order to achieve this function, the most used technology is the browser cookie, we will be the user login information stored in the client's cookie, so that each of our pages from the cookie to get the user whether the login information, so as to achieve record status, verify the user's purpose. But do you really use cookies? Here are some guidelines for using cookies.

Never store a user's password in a cookie. The encrypted password is not acceptable. Because this password can be acquired and tried to go offline and be exhaustive. Therefore, you must not keep the user's password in the cookie. I see too many sites to do so.

Correctly design "Remember Password". This feature is simply a security risk, I think not all programmers know how to design this thing. The general design is--a moment the user checked this function, the system will generate a Cookie,cookie including username and a fixed hash value, this fixed hash value is always used. This way, you can log on to all the devices and customers, and you can have multiple users logged in at the same time. This is not very safe. Here are some more secure ways for you to refer to:

(--Update 2011/08/26, there are some minor mistakes in the original text, and it's not clear, readjust it again--)

1 in cookies, save three items-user name, login sequence, login token.

User name: Clear deposit.

Logon sequence: A random number that has been MD5 hashed, only to be updated when a user is forced to enter a password (for example, a user modifies a password).

Login token: A random number that has been MD5 hashed, only one login session is valid, and the new logon sessions update it.

2 The above three things will exist on the server, the authentication user of the server needs to verify the three things in the client cookie.

3 This design will have what effect, will have the following effect,

A The login token is a single instance login. It means that a user can only have one login instance.

b The login sequence is used to detect the misuse behavior. If the user's cookie is stolen, when the user uses this cookie to visit the site, our system is considered to be a legitimate user, and then update the "login token", while the real users back to access, the system found only "username" and "login sequence" the same, but "login token" is not, In this case, the system will know that the user may have been embezzled, so the system can clear and change the login sequence and login token, so that all cookies can be invalidated and require the user to enter a password. And to warn users of system security.

4 of course, the above design will still have some problems, such as: the same user's different device login, and even on the same device using a different browser security login. One device invalidates the login token and login sequence of another device, allowing other devices and browsers to log on again, creating a false cookie. So, you also need to consider the Server service-IP address,

A If you log in as a password, we do not need to update the server's "login sequence" and "Login token" (but need to update cookies). Because we think that the password only the real user knows.

b If the IP is the same, then we do not need to update the server's "login sequence" and "Login token" (but need to update cookies). Because we think that the same user has the same IP (of course, the same LAN also has the same IP, but we think this LAN is user-controlled. This feature is not recommended for use in Internet cafes.

c) if (IP different && not with password login), then, "Login token" will change between multiple IP (login token in two or more IP between the transformation), when a certain number of times to reach a certain amount of time, The system will really feel that the possibility of misappropriation is high, at this time the system in the background to clear the "Login sequence" and "login token", so that the cookie expires, forcing users to enter a password (or require users to change the password), to ensure that multiple devices on the same cookie.

Do not allow cookies to have access to all operations. Otherwise, XSS attacks, see the XSS attack on Sina Weibo. The following features make sure that the user enters a password:

1) Modify the password.

2) Modify email. (e-mail is used to retrieve the user's password)

3 User's privacy information.

4 User consumption function.

Weigh the expiration time of the cookie. If it is never expired, there will be a good user experience, but this will also let users quickly forget the login password. If you set the expiration date, such as 2 weeks, one months, then it may be better, but 2 weeks and one months later, users will still forget the password. In particular, users on some public computers, if the preservation of permanent cookies, is tantamount to leaking the account. Therefore, we also need to weigh the expiration time of the cookie.

the ability to retrieve passwords

The function of retrieving the password must be provided. But many friends don't know how to design this feature. We have a lot of design to retrieve the password, I'll comment on it.

Never use security questions. It turns out that this is annoying and that users don't have a good set of security questions. What, my birthday, my mother's birthday, and so on. Because today's internet is not the same as before, because SNS, today's interconnection is more real than before, I can on Facebook, happy, Renren, LinkedIn found a lot of your real information. With this information I can reset your password with a security question. Here need to say the security of Facebook,facebook is very powerful, but also to you through the photo parade, hehe.

Do not reset the user's password. Because it is possible for the user's password to be maliciously attacked. Of course, you have to send an email to the user to confirm, the user clicks on a link in the mail, you reset. I do not recommend such a method, because users will usually take notes down this difficult to remember the password, and then log on to the system, because the login system using the "Remember password" function, so that users will not modify the password, so either to lead to the written password was stolen, or forgot the password.

A better approach--Reset yourself by mail. When the user requests to retrieve the password function, the system generates a MD5 unique random string (can pass uid+ip+timestamp+ random number), puts in the database, then sets up the time limit (for example 1 hours), sends the user to send a mail, this connection contains that MD5 string link, Users reset their new passwords by clicking on the link.

A better approach-multiple certifications. For example: through the mobile phone + mail to allow users to enter the verification code. Mobile + mail may not be sure, because the phone can be lost, and my mobile phone can access my mailbox. So, use the U Shield, SecureID (a changing 6-digit token), or verify the user's identity in a manual way. Of course, this mainly depends on the security level of your system.

Password Detection Defense

Use the verification code. The verification code is a short code that is randomly generated in the background, which is generally a very difficult picture to identify with the computer. This prevents the user's password from being tried in a procedural way. As it turns out, this is the simplest and most effective way. Of course, always allow users to enter those who can not see the naked eye of the user experience is not good, so, you could compromise. Google, for example, asks you to enter a CAPTCHA when he finds an IP address that sends out a lot of searches. When he finds that the same IP is registered with more than 3 Gmail mailboxes, he needs to send you a text message or a phone-type authentication code.

Number of user password failures. Reset password failed to the upper limit, if too many failures, the account is locked, require the user to retrieve the password way to reactivate the account. However, this feature may be used by malicious people. The best way to do this is to increase the time cost of its attempt (the previous article says a decryption algorithm that increases the time cost). For example, the interval of two password attempts is 5 seconds. More than three times the error, the account was temporarily locked 30 seconds, 5 times the account number is locked for 1 minutes, 10 times more than the wrong account is locked 4 hours ...

System Global Defense. The above defense is only for an individual user. Malicious people know this, so they typically use "botnet" rounds to try a bunch of user's passwords, so the above approach may not be good enough. We need to monitor the number of failed passwords on the system global domain. Of course, this needs to be supported by data that we don't normally get attacked with. For example, your system, an average of 5,000 times a day password error events, then you can think that when the password error significantly more than this number, and the relative concentration of time, it means that there is a hacker attack. What do you do at this time? The most common method is to increase the time cost of trying again after all users have lost the wrong password.

Finally, again, with regard to user login, the use of Third-party OAuth and OpenID is also a good choice.