Spec: Process: Login Cookies Sessiontimeout

Specification

Users login to the site will receive a cookie, if the user has 2 account, the individual Login Admin page and client page, will receive 2 cookies.

In reload page, backstage will get 2 cookies, (*asp.net only have a cookie management, there is no use of the ASP. NET tools, you will sooner or later encounter the problem of missing)

If there is a cookie, there must be a header indicating Selectedaccounttypename and Selectedaccountrole, without the header if there is no cookie

After verification, directly to the front desk processing, if found that there are 2 cookies will be asked to use the account.

In each of the Ajax requests, Sessiontimeout will be re-updated, if the admin sessiontimeout is 5 minutes, the client sessiontimeout is 3 months, here will be updated separately.

Design requirements: Customers to design and arvixe the same, then make three twilight four, I hope he can understand this is not bad, but if customers hard to do so, they have to deal with the problem of high price, change a concept. All subsequent projects will follow this concept.

Security issues: In addition to the ability to write domain and path settings, cookies can be httponly = True,javascript are not allowed to access cookies and can be accessed by the browser and background.

When you log out, you will be asked to choose which account to log out, and you will be asked to log out the clear cookies in the background (the cookies cannot be manipulated by the front desk JavaScript). If you log out, the local cookie is already expired, go directly to the login interface

Registration Process

User registration will make a request, the content is Primarykey,accounttypename,password. Backstage will go through PrimaryKey and accounttypename to SQL find whether this account, not found on behalf can register,

Then will protect hacker, determine the front desk to Accounttypename is right (because the admin is not register),

Then make sure that the set roles is required after accounttypename (an account can have multiple roles, a role can have multiple permissions),

Then encrypt the password,

Then create tokens,

And then into SQL,

Send email or phone to users to receive token to page verifycontact

Verifycontact process

Users will receive e-mail or information, the content is directly accessible to the Web page, will be accompanied by Token,primarykey and Accounttypename, then the background will be received will start to SQL to find information, in order to beware of hacking, each token will be updated SQL The token no match count++, if the data is no match count is greater than 100, the background will throw an error Singal (Resend verify code)

The front desk will have a resend Verify code button, the user clicks will receive an email or message, no matter how many times the token will be the same, but the token no match count greater than 100 will be the token to update.

If it is not Hack,token will be successful match,sql will be updated (the token remove), reponse to the foreground account object at the same time the cookie is given.

This will give the account object to push to Accountarray, digest after the page will be updated. (Hdlogin is backstage through the cookie to find resources, and then into Hdlogin)

Forgotpassword process

Users will submit primarykey,accounttypename to the backstage, to find the SQL data sent by email or information, no matter how many times token will be the same, but the token no match count Larger than 100 or empty will give the token to update or Add.

ResetPassword process

After receiving email or information, come to this page will need to enter the password and Confirm password, the front desk will submit Primary,accounttypename,password and token, then the backstage will receive will start to go to SQL to find information, In order to beware of hacking, each token is different will update the SQL token no match count++, if the data is no match count is greater than 100, the background will throw an error Singal (go forgot Password

Login process

Front desk need to submit primarykey,accounttypename,password to backstage, backstage to SQL find, if have account but password wrong, will update no match count++, if is the data no match Count is greater than 100, background will throw an error singal (go forgot password)

Account Disable

SQL will get the account object during Verifycontact,forgotpassword,resetpassword and ResetPassword . If the account status is found to be disabled, throw an error singal to the foreground.

If there is no disabled, you will see each character, if the role is diasble, the background will take away the role.

Spec: Process: Login Cookies Sessiontimeout