Paip. Improve user experience and security-Summary of logon and permission processes
Determine whether to log on...
1
Multiple logins and set logon Tokey ..
1
Ensure real-time password modification...
1
All current logon sessions are displayed at login...
2
Logon location change prompt...
2
Do not store users' passwords in cookies ....
2
Limit the number of logon attempts with password errors .. Prevent program cracking...
2
Cookie Theft detection...
2
Use the verification code...
3
Global System defense ....
3
Use third-party oauth
And openid are also a good choice...
3
View logon records...
3
Logon exception records...
3
See...
3
Determine logon status
In addition to determining whether the user name Cookie exists normally, you must also determine the password modification sequence = database .. Otherwise, it is deemed that the password has been changed and you need to log on again.
Multiple logins and set logon Tokey
You may need to log on to multiple devices .. Many logon sessions are required.
You need to store the login session. Cookie (sessionid, username, pwdseq, sign, exp, createdate) on the server)
If strict logon is required, the server only stores one session of this user...
Handling of disconnection:
Prompt that the user has a login session. If you need to forcibly clear this dialog, you can verify it by security issues ..
Ensures real-time password Modification
When the user changes the password, set the server's pwdseq to the current time hash.
When determining whether a user is logged on, you also need to determine whether the pwdseq in the cookie is consistent with the latest pwdseq. If it is different, the password has been changed and the client resets the cookie, prompt that the user password has just been modified and needs to be logged on again
All current logon sessions are displayed upon logon.
When logging on to multiple locations, you can view and manage all current logon sessions to kick out abnormal sessions ..
Logon location Change Prompt
When the logon location is different from the previous one, you must prompt the user .. "Your logon location is changed. The last logon location is XXXX, And the logon IP address is XXXX,
Login Time XXX .. If you did not log on, please change your password in time"
If the login location is the same, you only need to prompt the user "XXX your last login time ..
If you did not log on, please change your password in time"
In addition, you can view logon records in the user center. Including Failure and Success records to learn about the security of your account... to determine whether to change the password and other measures ..
Do not store users' passwords in cookies.
- No encrypted password is supported. This password can be obtained and tried offline. Therefore, you must not store your password in cookies. I saw too many sites doing this.
Limit the number of logon attempts with password errors .. Prevents program cracking and Cookie Theft
Compare IP
Use verification codeGlobal Defense of the system.
-
- The above defense only targets a certain user. Malicious users are aware of this, so they generally use "botnets" to try a bunch of user passwords, so the above method may not be good enough. We need to monitor the number of failures of all passwords in the system's full local area. Of course, this requires data that is not normally supported when we are not attacked. For example, if your system has an average of 5000 password errors every day, you can think that when the number of password errors exceeds the limit, and the time is relatively concentrated, it indicates that there is a hacker attack. What do you do at this time? Generally, the most common method is to increase the time cost for all users to try again after entering the wrong password.
Use third-party oauth
And openid are also a good choice.
View logon records
You can view your logon records in the user center, including failures and successes, to find insecure logon records.
Logon exception records
It is conducive to improving user experience and is used to analyze problems. You can record the issues according to the registration needs.
Reference
Will you implement the Web user login function? Coolshell