About the "encryption and decryption design ideas" mentioned in the dynamic key, encryption and decryption design ideas to ensure every password. Key this kind of important information every time the request changes, but I use the Grab packet tool to intercept get,post request, assuming I password dynamic encryption, is keyjafjalewei78732 but I assume that the content does not have a validity period check. Still be able to log on to the system, malicious damage.
Because we often achieve this, are in a similar single-sign-on cross-service web system, for example, a system sends a POST request login B system. We can do two sets of safety solutions:
One, our keys are transformed once a day. Encrypted ciphertext is also doped with the key random number and minutes, the receiver can be decrypted according to the rules of the agreed good. If you can tell that the request is within a minute or within 5 minutes of the request key, someone will think 5 minutes is too long. But the actual scene of the aserver,bserver time is not necessarily synchronized, and sometimes less than 5 minutes. So someone would ask. Just keyjafjalewei78732 this thing was not in 5 minutes, I was able to arbitrarily login to destroy. Two. At this point we can put the keyjafjalewei78732 into the cache. The ability to set the cache validity period is 20 minutes, so that someone malicious send keyjafjalewei78732, I cache this thing, still can't log in. Although the cache Serverkill will expire, but I troubleshoot, the time to start the server should be more than 5 minutes.
Therefore, it is more secure and can effectively control the malicious login.
Design ideas for preventing malicious logins