For example, a url like the following: foo.com? Timestamp time & amp; nonce random string & amp; sign can be thought of in the following ways: 1. Save the database: first visit, save the url to the database, the second access, check the database; 2. Save the session, first save, and then check; 3 ,... for example, a url like the following:
Https://foo.com /?Timestamp= Time &Nonce= Random string &Sign= Signature
I can think of the following methods:
1. Save the database: The first time you access the database, save the url to the database, and the second time you access the database, check the database;
2. Save the session, save it first, and then check it;
3. Store redis, mencache, etc. first, and then query;
Although the above methods can meet the requirements, they must be saved and queried each time. The data volume is small. What if there are tens of millions or hundreds of millions of data records? Is that the case? Is there a good solution?
I am wondering if I can design an algorithm based on the url rules to verify whether the url has been accessed. Even if I save a little data, I don't need to save the whole url.
Reply content:
For example, a url like the following:
Https://foo.com /?Timestamp= Time &Nonce= Random string &Sign= Signature
I can think of the following methods:
1. Save the database: The first time you access the database, save the url to the database, and the second time you access the database, check the database;
2. Save the session, save it first, and then check it;
3. Store redis, mencache, etc. first, and then query;
Although the above methods can meet the requirements, they must be saved and queried each time. The data volume is small. What if there are tens of millions or hundreds of millions of data records? Is that the case? Is there a good solution?
I am wondering if I can design an algorithm based on the url rules to verify whether the url has been accessed. Even if I save a little data, I don't need to save the whole url.
You always need to store the information "Whether the url has been accessed" in the background, which cannot be run and cannot be eliminated by means of algorithms.
However, this requirement is easy because there is no connection between the request and the request. You can use any method to split tables and databases. For example, the database requests are directly distributed to the Database Cluster Based on the URL as the bucket sharding (note. Tens of millions and hundreds of millions can also be achieved.
The real difficulty of this requirement lies in atomicity, that is, how to resist the time difference between two transactions simultaneously operating the database when two requests reach the server at the same time, resulting in data inconsistency.
However, this solution can also be achieved by the table sharding + database lock mechanism. Here, table sharding and database sharding are also responsible for (1) Load Balancing the number of requests (2) Load Balancing the performance caused by the lock.
NOTE 1: In practice, you must first normalize the URL to avoid?v1=1&v2=2
And?v2=2&v1=1
It is determined that different URLs and other Oolong events occur.
NOTE 2: in fact, according to the business logic, using a single valid index string/token/nonce key (whatever the name is, whatever you like) as the key is the best, saves the trouble of processing URLs.
NOTE 3: Generally, the database cluster suite automatically undertakes the sharding Algorithm without manual writing.
The url itself has not changed, so there must be something changed on the server side.
Therefore, if you want to keep it for one time, you will not be able to escape it.
Now you don't need to store the whole url, just store nonce.
Can't I add a temporary Token ??
You don't need the whole url. In fact, the password is used only once to access your webpage.
In the method you imagine, the session is not global, so it cannot be used. Only the database or redis options are available.
It is hard to understand why the url should be invalidated...
No matter how it is stored, the server does not store
Random string length. The URL has a valid time and then stores those URLs that are valid. It can be stored in the database and cleaned up after regular + access.
Generally, this is the case when you verify or change the password in the email address of a registered user.
In terms of probability, malicious attackers who have not obtained a valid random number and sign cannot traverse all possibilities within the validity period. If you add some restrictions on the number of IP attempts, it is safe to do so.
If you do not want to verify that a URL can be accessed at most oncenonce
Set it to an incremental number.
Write a cookie after the access
The millisecond-level Timestamp and the random string HASH value are used as the key's effective time to cache arbitrary content (such as 1). The timestamp is used to determine the effective time and then verify whether the cache exists, these two parameters are required
Aren't you concerned about the data volume?
So,! What! ! Save data on your local terminal without using cookies
It is much easier to use timestamp. Generally, if the timestamp exceeds a certain range, it is regarded as an invalid url. Therefore, it is good for nonce to store data or redis to expire after a period of time, because timestamp is used to determine whether the request has expired, and nonce is used to determine whether the request has been repeated ., the timestamp range is about 30 seconds.