我如何类似于典型的“帐户确认”?在多个网站上看到的程序?

发布于 2024-09-18 08:59:31 字数 465 浏览 3 评论 0原文

我想类似于多个网站中看到的典型“帐户确认”过程。当用户注册时,系统会向他发送一封带有确认链接的电子邮件。一旦用户转到该确认链接,其帐户就会得到确认。 不用担心电子邮件发送过程。问题是我需要生成一个 URL,用户可以输入该 URL 以确认他的新帐户。此页面需要接收一些参数,但我不希望 url 类似于 .../confirmation?userId=1 。我希望它是一个加密的网址以避免滥用,这可能吗?到目前为止,我有这样的想法:

 public class CancelReservationPage extends WebPage{

 public CancelReservationPage(PageParameters pageParameters){
  // get parameters
  // confirm account
  // etc..
 }
}

下一步是什么?

谢谢!

I want to resemble the typical "confirmation of account" procedure seen in multiple websites. When a user registers an email is sent to him with a confirmation link. Once the user goes to that confirmation link its account gets confirmed. Don't worry about the email sending process. The thing is that I need to generate a URL to which the user can then enter to get his new account confirmed. This page will need to receive some parameters but I don't want the url to be something like .../confirmation?userId=1 . I want it to be an ecrypted url to avoid abuses, is this possible? So far, I have something like this:

 public class CancelReservationPage extends WebPage{

 public CancelReservationPage(PageParameters pageParameters){
  // get parameters
  // confirm account
  // etc..
 }
}

What's next?

Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

青巷忧颜 2024-09-25 08:59:31

您不需要加密,最好使您的参数完全不可知。只需生成一个随机字符串,例如 12 个字符长,并将其存储在用户表的数据库中。

You don't need encryption, better making your parameter totally agnostic. Just generate a random string, for example 12 char long, that you store in DB in the user table.

请叫√我孤独 2024-09-25 08:59:31

除了在数据库中存储唯一密钥的解决方案之外,还有一种更方便但可能不太安全的方法(容易泄露密钥和破坏哈希)。

生成包含 userIdhash(userId + SecretKey) 的 URL,其中 secretKey 是应用程序的唯一密钥,hash code> 类似于 SHA-1。因此,恶意者除非知道密钥,否则无法计算哈希值,并且您可以通过将传入哈希值与新计算的哈希值进行比较来验证确认请求。

SHA-1 可以使用 计算java.security.MessageDigest 或 Apache Commons Codec 的 DigestUtls.shaHex()

您还可以添加到期日期,以使您的确认链接在有限时间内有效。

Aside from the solutions with storing unique key in the DB, there is a more convenient but perhaps less secure method (vulnerable to disclosure of the secret key and breaking of the hash).

Generate a URL containing userId and hash(userId + secretKey), where secretKey is an unique key of your application and hash is something like SHA-1. So, malicious person can't compute the hash unless he knows the secret key, and you can validate the confirmation request by comparing incoming hash with the newly computed one.

SHA-1 can be computed using java.security.MessageDigest or Apache Commons Codec's DigestUtls.shaHex().

You may also include an expiration date to make your confirmation link valid for the limited time.

半仙 2024-09-25 08:59:31

非常简单:

  1. 在发送电子邮件之前,生成一个
    唯一的密钥(一系列字符,
    最简单的是 GUID)
  2. 将此唯一密钥存储在数据库中并将其链接到
    关联的用户帐户
  3. 将此密钥作为参数包含
  4. 在帐户确认页面代码中电子邮件中发送的帐户确认 URL 中,检查数据库以查看是否
    收到的代码是真实的
    如果密钥在您的数据库中,则由您的代码生成
  5. ,然后激活帐户

Pretty simple:

  1. before sending the email, generate a
    unique key (a series of characters,
    the easiest would be a GUID)
  2. store this unique key in the database and link it to the
    associated user account
  3. include this key as a parameter in the account confirmation URL sent in the email
  4. in the account confirmation page code, check the database to see if
    the received code is genuinely
    generated by your code
  5. if the key is in your database then activate the account
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文