Watch your door.-Ensure the security of the authentication mechanism (3)-Handle validation information correctly

Source: Internet
Author: User

The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.

1. Prerequisites

Implementing a secure authentication mechanism not only meets several key security goals at the same time, but also at the expense of other goals. such as ease of use, cost, and functionality.

2, the basic requirements of the correct processing of verification information

Some basic requirements, written down, can also be consulted later.
1. To confirm the complete user name and password information, that is, to distinguish between case, do not filter or modify any characters, do not add or truncate the password;
2. The application should proactively defend against unforeseen times during processing of the validation information. Importantly, if the system does not pass the normal validation, then the default return value is "false", do not use success as the default value;
3. A thorough code review of the core code that validates the login information (this piece is often not done, and everyone thinks the user landing is a very simple job; the most important door is often the least experienced intern in the team to develop)
4. If the application supports the User Spoofing feature (also called user change), it should be tightly controlled to prevent an attacker from abusing him for unauthorized access. Because this function is extremely dangerous, it is best to remove from the public-facing application, up to CN2, DCN and other internal network limited release;
5. And the login phase progress and various validation results should be stored on the server side, can not be transmitted to the client or let the client read;
6. Prohibit users from submitting a login information multiple times, and prohibit users from modifying the data that has been confirmed;
7. Any landing phase, it is to verify that the previous phase is completed successfully, rather than trust Referer and other similar can be modified, once the previous phase is not completed, you should immediately mark the verification attempt as a malicious attempt;
8. In order to further improve the security needs, can be in the landing process to allow users to answer a random change of the problem, to maximize the difficulty of the attackers;
9. If a particular user is asked a specific problem, then the problem of long-term storage, the user every time the failure to log on to use this problem, until the user correctly answer. (Avoid attackers to facilitate bank or similar cases)

Watch your door.-Ensure the security of the authentication mechanism (3)-Handle validation information correctly

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.