windows mobile的登录实现
Windows 移动应用程序的凭据检查的好方法是什么?知道它是一个偶尔连接的设备。
我应该将用户凭据保存到本地数据库中吗?如果数据库中不存在该凭据,请尝试查看它是否可以访问互联网并通过网络服务进行检查?
如果两者都失败则显示错误消息?
如果登录成功,则将凭据存储到本地数据库存储,然后在下次登录时首先访问数据库?
这是一个好方法吗?
What is a good approach for credential checks for windows mobile app. Knowing that it is an occasionally connected device.
Should I keep the user credential into the local database? If the credential doesn't exist in the db, try to see if it has internet access and do the check through a web service?
If both fails then display an error message ?
If logins is successful then store the credential to the local database store then upon next login go against the database first?
Is this a good approach?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我们很难告诉您什么是“好的”方法,因为它很大程度上取决于您的需求、您的设备、您的网络以及许多其他因素。对于需要通过某些远程服务器进行身份验证的应用程序来说,您的过程似乎是合理的。只需考虑几件事:
我确信还有其他好问题要问——这些只是我现在想到的问题。关键是,只有您知道您的应用程序需要什么级别的安全性以及用例是什么,因此判断一种方法是否良好的最佳人选就是您。
It's difficult for us to tell you what is a "good" approach because it depends highly on what your requirements are, your device, your network and a lod of other things. Your process seems reasonable for an application that needs to authenticate with some remote server. Just a few things to consider:
I'm sure there are other good questions to ask - these are just the ones that come to mind right now. The point is that only you know what level of security your app needs and what the use-cases are going to be so the best person to judge if an approach is good is going to be you.
我在我们使用的移动软件中也有类似的情况,我们使用以下方法:
它将在本地存储上次使用的用户名和密码的哈希值。
密码并与本地密码进行比较。如果它们匹配,则用户
无需互联网连接即可登录。如果失败了
用户还有两次尝试,此时软件要求验证
通过主服务器的凭据。
用于验证的互联网连接。如果它成功了,它就会随之而来
再次执行第一步。
显然,您需要意识到这种方法很容易受到暴力攻击。您无法阻止黑客进行大量尝试。您只能尝试减慢它们的速度(使用慢速哈希算法和其他麻烦)。如果您确实担心此类攻击;使用连接的登录验证方法是您唯一的方法。
顺便说一句,还有其他事情需要考虑。设备连接频繁还是非常不频繁?当连接不可用时,是否有许多不同的用户登录设备?这些问题的答案可能会引导您实现单一登录。
I have a similar situation in mobile software we use, we use the following approach:
It will store the last used username and a hash of the password locally.
password and compare it with the local one. If they match, the user
is logged in without the need of an internet connection. If it fails the
user gets two more attemps, at which point the software asks to verify
the credentials through the master server.
an internet connection to verify. And if it succeeds, it will follow
step one again.
Obviously, you need to be aware of the fact that this approach is vulnerable to a brute force attack. There is no way you can prevent a hacker from doing a lot of attemps. You can only try to slow them down (using a slow hashing algorithm and other nags). If you are really worried about such attacks; using a connected login verification method is your only way to go.
There are other things to consider by the way. Is the device connected frequently or really infrequently? Do a lot of different users login on the device while a connection is not available? Answers to such questions could lead you to a single login implementation.