Will you do the user login function on the web?
The user login function on the web should be the most basic function, but after I have seen some site user login function, I think it is necessary to write an article to teach you how to do user login function. The following article tells you that this function may not be as simple as you think, this is a user-security function, I hope you can learn from the following article what kind of method is a good user login function
User name and password
First of all, let's talk about usernames and passwords first. This is not the first time this site to talk about this matter. How to manage your own password to let you know how to manage your own password, to break your password to let you know in the modern speed of the calculation, using the poor lifting method to crack your password may be a very easy thing. Here I want to tell you about designing this username and password from the developer's point of view. Here are a few rules:
- restrict user input to some very easily cracked passwords . Like what qwert,123456, password, and so on, as Twitter restricts the user's password as a blacklist of passwords. In addition, you can limit the length of the user password, whether there is a case, whether there are numbers, you can use your program to do a check. Of course, this may make users feel uncomfortable, so many sites now offer UX to let users know what his password strength is (such as this interesting UX), so that users have a choice to tell the user-to be safe, first set the password a little better.
- never save a user's password in clear text . As with how to manage your own passwords, many times, users log in to many sites with the same password for the same ID. So, if your site is stored in plaintext, then if your data is being circulated by your bad employees it's disastrous for the user. Therefore, the user's password must be encrypted to save, preferably with irreversible encryption, such as MD5 or SHA1 such as the hash algorithm of the irreversible encryption algorithm. CSDN Zeng Mingwen saved the user's password. (another, for the conduct of domestic companies and the management of the relevant departments, I do not guarantee that the domestic website in an encrypted way to save your password.) I think, as a person with a conscience, we should encrypt the password to save the user)
- whether to let the browser save the password . We have n many ways to not allow the browser to save the user name and password. But this may be uncomfortable for the user. Because in the real world, no one remembers so many passwords. Many users may use some password management tools to save passwords, and the browser is just one of them. Whether to let the browser save this requires you to make a decision, the focus is to see if your system's security level is high, if so, do not let the browser save the password, and in the site obvious location to tell the user-the safest place to save the password is only your brain.
- passwords are transmitted over the Internet . Because HTTP is a plaintext protocol, the user name and password are also sent in plaintext on the internet, which is very insecure. You can read this article and you'll understand. To do this, you must use the HTTPS protocol for encrypted transmissions. However, there are still many websites in China that use ActiveX controls for Web login, which can be a significant reason for IE6. I generally understand that these ActiveX controls are for anti-keylogger applications. However, I still feel that ActiveX controls should not exist because ActiveX controls are not visible on many security-critical sites abroad.
User logon status
First of all, I want to tell you that because HTTP is a stateless protocol, that is, the protocol is unable to record the user access status, each request is independent and unrelated, a pen is a pen. And our site is designed to multiple pages, where the page jumps we need to know the status of the user, especially the status of user login, so that we after the page jump we know whether we can let users have permission to operate some functions or to view some data.
- never store a user's password in a cookie . The encrypted password is not possible. Because this password can be obtained by the person and try to do the offline exhaustive. Therefore, you must not keep the user's password in a cookie. I've seen too many sites do that.
- Design "Remember password" correctly. This function is simply a security risk, I think not all programmers know how to design this thing. The general design is-in the moment the user tick this feature, the system will generate a Cookie,cookie including the user name and a fixed hash value, the fixed hash value has been used. This way, you can log on to all devices and customers, and multiple users can log in at the same time. This is not very safe. Here are some more secure ways for you to refer to:
- Simple way: (
When logged in, if there is "remember Me", then, generate a unique encryption token, can be username/expiration/user ID/Login time and other mixed encryption; in another table maintenance; each time you come, judge the user name and the corresponding token, this token is equivalent to a temporary password)
1) in a cookie, save three things- user name , login sequence , login token.
User name : Clear Text storage.
Login Sequence : A random number that is MD5 hashed only when the user is forced to enter the password (e.g., the user has modified the password).
Login Token: A random number that has been hashed by MD5, only valid within a login session, and the new login session will update it.
2) The above three things will exist on the server, the authenticating user of the server needs to verify these three things in the client cookie.
3) Such a design will have what effect, will have the following effect,
A) login token is a single-instance login. This means that a user can only have one login instance.
b) The login sequence is used for the detection of misappropriation behavior. If the user's cookie is stolen, the person using this cookie to access the website, our system is considered to be a legitimate user, and then update the " login token", and the real user back to visit, the system found that only " user name " and " The login sequence "is the same, but" login token"is incorrect, so the system knows that the user may have been compromised, so the system can clear and change the login sequence and ? Login token, which will invalidate all cookies and require the user to enter a password. And to warn the user of the system security.
4) Of course, the above design will still have some problems, such as: the same user's different device login, and even on the same device with a different browser to protect the login . One device invalidates the login token and login sequence for another device, allowing other devices and browsers to log back in and creating the illusion of cookie theft. So, you need to consider the server service-? IP Address ,
A) If you are logged in as a password, we do not need to update the server's " login sequence " and "?" Login Token"(but need to update cookies). Because we think that passwords are only real users know.
b) If the IP is the same , then we do not need to update the server's " login sequence " and? " Login Token"(but need to update cookies). Because we think that the same user has the same IP (of course, the same LAN also has the same IP, but we think this LAN is user can control.) It is not recommended to use this feature in Internet cafes.
c) if (IP is different && not logged in with a password ), then " Login token" will change between multiple IP (login token between two or more IP is returned to and fro), When a certain amount of time to reach a certain number of times, the system will really feel the possibility of theft is very high, at this time the system in the background to clear the " login sequence " and " Login token", so that the cookie expires, Force the user to enter a password (or require the user to change the password) to ensure that the cookie on multiple devices is consistent.
- do not allow cookies to have access to all operations . Otherwise, this is an XSS attack, see the XSS attack on Sina Weibo. The following features must be user input password:
1) Change the password. 2) Modify the email. (e-mail is usually used to retrieve the user's password, the best way to send email or text messages to modify, or simply do not change one by one email account name) 3) user's privacy information. 4) User consumption function.
- weigh the expiration time of the cookie. if it never expires, there will be a good user experience, but it will also allow users to quickly forget their login password. If you set the expiration period, such as 2 weeks, one months, then it may be better, but after 2 and one months, the user will still forget the password. In particular, users on some public computers, if you save a permanent cookie, the equivalent of leaking account. Therefore, we also need to weigh the cookie expiration time.
function of retrieving password
The function of retrieving the password must be provided. But many friends don't know how to design this feature. We have a lot of design to retrieve the password, below I review each.
- Never use security questions . It turns out that this link is annoying and the user is not able to set up security questions and answers very well. What, my birthday, my mother's birthday, and so on. Because today's internet is not the same as before, because SNS, today's interconnection is more real than before, I can on Facebook, happy, Renren, LinkedIn to find you a lot of real information. With this information I can use the security question and answer to reset your password. Here we need to say that Facebook,facebook's security question and answer is very strong, but also you through the photo identification, hehe.
- do not reset the user's password . This could cause the user's password to be maliciously attacked. Of course, you have to send an email to the user to confirm that the user clicked on a link in the email and you reset it. I do not recommend this method, because users generally use notes down this difficult to remember password, and then log on to the system, because the login system using the "Remember password" function, so that the user will not change the password, so that the password is written down to be stolen, or forget the password.
- a better approach-reset by mail itself . When the user requests to retrieve the password function, the system generates a MD5 unique random string (can be uid+ip+timestamp+ random number), placed in the database, and then set the time limit (such as 1 hours), to send a message to the user, the connection contains the link of the MD5 string, The user re-sets the new password by clicking on that link.
- A better approach – multiple certifications . For example: Let the user enter the verification code by phone + mail. Mobile + mail may not be sure, because the phone will be lost, and my phone can access my mailbox. So, use U-Shield, SecureID (a variable 6-digit token), or manually verify the identity of the user. Of course, this mainly depends on the security level of your system.
Password Detection Defense
- use a verification code . Verification code is the background of a random generation of a short verification code, this verification code is usually a computer difficult to recognize the picture. This prevents the user's password from being tried in a program way. It turns out that this is the simplest and most effective way. Of course, it's always a bad experience for users to enter verification codes that are invisible to the naked eye, so you can compromise. Google, for example, asks you to enter a verification code when he discovers that a large number of searches have been made on an IP address. When he finds that the same IP is registered with more than 3 Gmail mailboxes, he needs to send you a text message or a verification code for the phone's way.
- The number of user password failures . The upper limit of failed to reset the password, if too many failures, the account is locked, the user needs to retrieve the password to reactivate the account. However, this feature may be used by malicious people. The best way to do this is to increase the time cost of its attempt (the previous article said a decryption algorithm that adds time costs). For example, the interval of two password attempts is 5 seconds. More than three times, the account was temporarily locked for 30 seconds, more than 5 times the account was locked for 1 minutes, more than 10 times the wrong account was locked 4 hours ... However, this can cause malicious users to attack with a script, so it is best to add a verification code, the number of errors in the verification code is not forbidden to login but LP.
- system Global Defense . The above defense is only for an individual user. The bad guys know that, so they usually use botnets to try a bunch of user passwords, so that might not be good enough. We need to monitor the number of failed passwords on the system global domain. Of course, this requires that we do not normally be attacked when the data to support. For example, your system has an average of 5,000 password errors per day, so you can think that when the password error significantly exceeds this number, and the time is relatively concentrated, it indicates a hacker attack. What will you do at this time? The most common way to use it is to increase the time cost for all users to try again after the wrong password.
Finally, again, it's a good choice to use third-party OAuth and OpenID for user login.
Implementing user logon features on the Web