验证码验证逻辑?
我需要为我正在开发的集成软件编写验证码服务。经过一番思考,我认为我并不完全理解验证码在技术上是如何工作的(我确实理解它在功能上是如何工作的),因此无法做出一些设计决策。困扰我的一些事情是:
- 我应该为每个用户保留一个会话吗? (即记住他们的 IP、域等)
- 失败时我应该重新生成密码吗? (我知道像 google 和 digg 这样的网站会这样做)
- 每次调用都会访问数据库我不确定这是否会影响服务器的性能,但我会考虑使用像 memcahed 这样的东西。但我无论如何也想不出不访问数据库或缓存,因为您需要先读取,然后验证然后更新。
- 我需要验证码的到期时间吗?说15分钟?
如果 1 是,那么我认为逻辑会变得复杂,因为我需要执行以下操作: 该密码之前已被验证过吗?已经过期了吗?是来自同一个ip吗?等等
如果我需要记住 IP 并进行验证,在太多无效请求之后我该怎么办?我阻止他们吗?
所以我认为验证码应该以这种方式工作,简单的方式:
无状态,这意味着生成的每个验证码只能在 2 个请求中生存,即初始请求和后续请求。结果要么失败,要么通过。如果失败则创建一个新的。
我很感谢能够提出一些建议或解释正确的验证码如何工作的人。谢谢。
更新:
我需要稍微解释一下功能要求:
条款:
- 客户是www中的其他人,
- 我的服务包括:验证码服务和客户可以通过以下方式访问的其他服务http 请求。
工作流程:
- 客户向验证码服务发出请求
- 验证码服务生成令牌、密码并保存到数据库
- 客户向验证码网络发出 http 请求以检索图像
- 客户向我们的其他服务发出请求并传入密码,
- 我们的其他服务将使用密码短语来验证我们的验证码服务 等等...
我也在想3是否有必要。或者我应该在步骤 2 中返回图像流。
I need to write a captcha service for the integration software I am working on. After some thinking I think I don’t fully understand how captcha works technologically (I do understand how it works functionally) and therefore haven’t been able to make some design decisions. A few things that bother me are:
- Should I keep a session for each user? (i.e. remember their IP, domain, etc)
- Should I regenerate a passphrase on fail? (I know that sites like google and digg do it)
- Every call will hit database I am not sure if this will impact performance on the server but I will consider using things like memcahed. But I can't think of anyway to not hit db or cache becuase you need to first read, then validate then update.
- Do I need an expiry time for the captcha? say 15 mins?
If 1 is yes then I think the logic becomes complex because I need to do things like:
has this passphrase been validated before? has it expired? is it from the same ip? etc
And if I need to remmeber the IP and validate against, after too many invalid request what do I do? Do I block them?
So I am thinking captcha should work this way, the simple way:
Sort of stateless which means each captcha generated will only survive 2 requests, the initial request and the subsequence request. And the result will either be failed or passed. If failed then create a new one.
I appretiate someone who can make some suggestions or explain how a proper captcha works. Thanks.
Update:
I need to explain the functional requirement a bit:
Terms:
- customer is someone else out in the www
- my service includes: captcha service and other service which customer can access via http request.
Workflow:
- customer makes request to captcha service
- captcha service generates token, passphrase and save to db
- customer make http request to captcha web to retrieve image
- customer makes request to our other service and pass in passphrase
- our other service will use passphrase to validate against our captcha service
etc...
Also I am thinking if 3 is necessary. Or should I just renturn the image stream in step 2.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
取决于您使用的服务器端 Web 编程语言。大多数它们只是提供内置方法来管理会话,例如在 PHP 中使用
session_start()并访问$_SESSION,在例如 JSP/Servlet 中,您可以通过 <代码>HttpServletRequest#getSession()。由于您没有提及您正在使用哪一种,因此我无法给出更具体/详细的答案。我所能建议的就是查阅相关编程语言的文档/图/书籍。您无需记住 IP。只需在会话中设置一个密钥/令牌就足够了——而这通常已经由 cookie 支持,因此如果您打算自行扩展这一切,理论上您也可以使用 cookie (注意:不要将cookie 中的答案,但只是一些用于识别客户端的唯一密钥!)。
当然你应该这样做。否则,机器人很容易对验证码进行暴力破解。
也就是说,您是否有任何理由不使用可以插入的现有验证码 API,例如 reCAPTCHA?
Depends on the server side web programming language you're using. Most them just offers builtin ways to manage the session, in for example PHP use
session_start()and access$_SESSIONand in for example JSP/Servlet you can get it byHttpServletRequest#getSession(). As you didn't mention which one you're using, I can't give a more specific/detailed answer. All I can suggest is to just consult the docs/tuts/books of the programming language in question.You don't need to remember the IP. Just setting a key/token in the session is enough --which in turn is usually already backed by a cookie, so you could in theory also just use a cookie for this if you intend to homegrow this all (note: do NOT put the answer in the cookie, but just some unique key to identify the client!).
Certainly you should. Otherwise it's easy for bots to do a brute force on the captcha.
That said, is there any reason that you don't use an existing captcha API which you could just plug in, such as reCAPTCHA?
验证码很难。有很多研究涉及它们的设计和破坏。
更好、更有用的解决方案是使用像 reCAPTCHA 这样的工具: http://recaptcha.net/ Whyrecaptcha.html 提供了相当好的安全性,使集成变得容易,并使花在打字上的时间变得有用。
Captchas are hard. There is a lot of research going into designing them as well as breaking them.
A much better, and more useful, solution, is to use a tool like reCAPTCHA: http://recaptcha.net/whyrecaptcha.html which provides pretty good security, makes integration easy and makes the time spent typing go to something useful.
我应该从为什么使用验证码开始?由于显而易见的答案是防止垃圾邮件机器人,因此我认为保存每个用户的会话是一个坏主意。它可能会导致错误地阻止合法用户。另外,它不会阻止智能机器人继续尝试破解您的验证码。
此外,如果您不重新生成验证码,一个好的机器人最终会破坏它。
所以,恕我直言,您最好永远不要阻止用户(也许会阻止注册用户,但如果是匿名的,则不会)并为每个请求重新生成验证码。
I should start with why use captcha? Since the obvious answer is to prevent spam bots, I think saving sessions per user is a bad idea. It can lead to blocking legitimate users by mistake. Plus it will not prevent a smart bot from continuing to try break your captcha.
Furthermore, if you will not regenerate the captchas, a good bot will eventually break it
So, IMHO, you better of never blocking users, (maybe blocking registered users, but if it is anonymous then no) and regenerate the captcha for every request.