“忘记密码”节流

发布于 2024-11-06 09:09:20 字数 103 浏览 5 评论 0原文

我设置了一个“忘记密码”系统,该系统会向用户发送一封带有重置链接的电子邮件。 M 问题是:如何防止该系统被滥用?我如何确保人们不会使用它向人们的收件箱发送垃圾邮件,但仍然可以供需要它的人使用?

I have a 'forgot password' system set up that sends an email with a reset link to the user. M question is: How can I prevent abuse of this system? How can I make sure that people don't use this to spam peoples inboxes but still have it usable for the people that need it?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

你的心境我的脸 2024-11-13 09:09:20

询问注册的电子邮件地址而不是用户名?它被恶意用户知道的可能性要小得多。

或者,在用户表中有一个 TimeOfLastReset 字段,并在发送电子邮件时更新该字段。如果 CurrentTime-TimeOfLastReset 太小,则不发送。

Ask for the registered email address rather than the username? It is much less likely to be known by a malicious user.

Alternately, have a TimeOfLastReset field in your users table, and update this whenever you send an email. If CurrentTime-TimeOfLastReset is too small, then don't send.

赠意 2024-11-13 09:09:20

发送恢复电子邮件后,记录发送的时间。如果在预设时间间隔(15 分钟?6 小时?一天?)内有任何进一步/过多的恢复请求,请打印一条消息,不要发送电子邮件。

When a recovery e-mail is sent, record the time at which it happened. If there are any further/too many recovery requests within a preset time interval (15 minutes? 6 hours? a day?), print a message and don't send the e-mail.

双手揣兜 2024-11-13 09:09:20

1) 您必须知道您的电子邮件地址(不仅仅是用户名) 2) 您在一段时间内只能重置一次密码 3) 重置不能立即生效,您必须单击邮件中的链接

1) you have to know your email address (not just the username) 2) you can reset your password only once in a timespan 3) to reset doesnt work immediately, you have to click a link in the mail

遮了一弯 2024-11-13 09:09:20

不要认为它真的有可能被垃圾邮件发送者滥用。

对于垃圾邮件发送者来说,发送给用户的自动消息(具有固定内容)是没有用的。

然而,您可以做的是将会话 ID 添加到隐藏字段并在提交时检查它。
或者向表单添加一个带有 name="message" 的隐藏 (disply: none) 字段和一个空值。并检查表单提交时它是否仍然为空。

让用户填写用户名和电子邮件地址并进行验证。

Don't think it really has the potential of being abused by spammers.

For a spammer an automated message (with fixed content) sent to the user is useless.

However what you can do is add the session id to a hidden field and check it on submit.
Or add a hidden (disply: none) field with name="message" and a empty value to the form. And check if it still is empty on form submit.

Let the user both fill in their username AND e-mailaddress and verify it.

橘虞初梦 2024-11-13 09:09:20

如果您使用电子邮件作为登录用户名,那么这应该不是一个大问题,因为不是每个人都知道他们的电子邮件,而且为了让他们能够重置,他们的电子邮件必须在数据库中匹配。因此,只有当有人输入有效的电子邮件时,它才会被发送和重置。

if you used email as a login username, it shouldn't be a big problem since not everyone would know their email, and the fact that in order for them to be able to get a reset, their email must match in the database. Therefore it would only be sent and reset if someone entered a valid email.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文