I read an article in the morningArticle No nonsense MVC getting started tutorial 9 [Practice 1: user registration and Login ],No nonsense, practiceThese powerful words attract and read. Objectives of this article: 1. Independent Development user registration and login! After reading the paper, I found it inappropriate. So I commented and was strongly refuted by the bloggers. I am a little talented. Maybe I am not good at speaking. I apologize to the blogger here.
Registration and logon are almost essential modules for every web application. Generally, we will discuss them with our interviewees during interviews.
I personally think that the following two points should be taken into account for registration and login:
- There are many related blogs in the garden.
- Keep logon status, cookies secure
User Password Storage
Obviously, no one will store it in plain text now.ProgramSecond. There are many articles in this area in the garden, which can be searched. You can select MD5 encryption, add your own salt value, orUsers use the user name registered as the salt, or change the MD5 encryption method.
Keep logon status, cookies secure
HTTP is stateless, and the server needs to know the user's logon status. Therefore, an identifier is required to identify the user's logon status. After a user logs on, the user information, such as userid or username, needs to be written into cookies as the user's login identity. Is it safe? Obviously, cookies can be forged. userid or username can be easily known on the website. If you forge a cookie, you can log on to any user to bypass the user password. So there is no way to encrypt it. Yes, no one else can see it after encryption. If you don't know the encryption method, You can't forge it. Is this safe? Apparently not. If you copy the encrypted string to another computer and use another browser, will this user be logged on. Therefore, a key is required to identify the uniqueness of the logon status. The key can be encrypted by the browser ID, IP address, and other parameters. This is a relatively reliable way to save the logon status.
What should I do if I forget my password? I also need to provide a place for resetting my password. There are many methods for resetting my password, such as answering questions, mobile phones, and emails.
ExampleCodeI don't feel necessary. It's easy to know the idea code.