我如何类似于典型的“帐户确认”?在多个网站上看到的程序?
我想类似于多个网站中看到的典型“帐户确认”过程。当用户注册时,系统会向他发送一封带有确认链接的电子邮件。一旦用户转到该确认链接,其帐户就会得到确认。 不用担心电子邮件发送过程。问题是我需要生成一个 URL,用户可以输入该 URL 以确认他的新帐户。此页面需要接收一些参数,但我不希望 url 类似于 .../confirmation?userId=1 。我希望它是一个加密的网址以避免滥用,这可能吗?到目前为止,我有这样的想法:
public class CancelReservationPage extends WebPage{
public CancelReservationPage(PageParameters pageParameters){
// get parameters
// confirm account
// etc..
}
}
下一步是什么?
谢谢!
I want to resemble the typical "confirmation of account" procedure seen in multiple websites. When a user registers an email is sent to him with a confirmation link. Once the user goes to that confirmation link its account gets confirmed. Don't worry about the email sending process. The thing is that I need to generate a URL to which the user can then enter to get his new account confirmed. This page will need to receive some parameters but I don't want the url to be something like .../confirmation?userId=1 . I want it to be an ecrypted url to avoid abuses, is this possible? So far, I have something like this:
public class CancelReservationPage extends WebPage{
public CancelReservationPage(PageParameters pageParameters){
// get parameters
// confirm account
// etc..
}
}
What's next?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您不需要加密,最好使您的参数完全不可知。只需生成一个随机字符串,例如 12 个字符长,并将其存储在用户表的数据库中。
You don't need encryption, better making your parameter totally agnostic. Just generate a random string, for example 12 char long, that you store in DB in the user table.
除了在数据库中存储唯一密钥的解决方案之外,还有一种更方便但可能不太安全的方法(容易泄露密钥和破坏哈希)。
生成包含
userId
和hash(userId + SecretKey)
的 URL,其中secretKey
是应用程序的唯一密钥,hash
code> 类似于 SHA-1。因此,恶意者除非知道密钥,否则无法计算哈希值,并且您可以通过将传入哈希值与新计算的哈希值进行比较来验证确认请求。SHA-1 可以使用
计算java.security.MessageDigest
或 Apache Commons Codec 的DigestUtls.shaHex()
。您还可以添加到期日期,以使您的确认链接在有限时间内有效。
Aside from the solutions with storing unique key in the DB, there is a more convenient but perhaps less secure method (vulnerable to disclosure of the secret key and breaking of the hash).
Generate a URL containing
userId
andhash(userId + secretKey)
, wheresecretKey
is an unique key of your application andhash
is something like SHA-1. So, malicious person can't compute the hash unless he knows the secret key, and you can validate the confirmation request by comparing incoming hash with the newly computed one.SHA-1 can be computed using
java.security.MessageDigest
or Apache Commons Codec'sDigestUtls.shaHex()
.You may also include an expiration date to make your confirmation link valid for the limited time.
非常简单:
唯一的密钥(一系列字符,
最简单的是 GUID)
关联的用户帐户
收到的代码是真实的
如果密钥在您的数据库中,则由您的代码生成
Pretty simple:
unique key (a series of characters,
the easiest would be a GUID)
associated user account
the received code is genuinely
generated by your code