如何将用户转发到"resetPassword"如果用户使用无效的用户名&尝试登录超过3次，则显示页面密码(STRUTS2) [英] how to forward users to "resetPassword" page if users attempt to login more then 3 times with invalid username & password(STRUTS2)

问题描述

我要实现:

如果用户尝试使用无效的用户名&密码超过3次.我想将它们转发到我的重置密码页面".

If users tries to login with invalid username & password for more than 3 times. I would like to forward them to my "reset password page".

这背后的逻辑是什么.我无法捕捉到此问题的确切逻辑.请帮忙.

What is the logic behind this. I'm unable to catch the exact logic for this problem. Please help.

我认为要应用的内容: 将表单文本字段中的默认值从表单中传递为Login_attempt=1，

What I thought to apply: passing default value from my form textfield as Login_attempt=1 from my form ,

//geter & setter of loginAttempt
if(loginAttempt>3)
{
    return resetPassword;//forwarding to resetPassword.jsp from my struts.xml
} 
else
{    
    //perform other tasks
}

但是从我上面的逻辑来看，我有一个疑问:如何在每次提交表单时增加loginAttempt值.这样我的上述代码将对我有用.

But from my above logic I have doubt : How can I increment the loginAttempt value on each time of the form submits. so that my above code will work for me.

如果还有其他逻辑要实现.请和我分享.

If you have any other logic to implement. Please share with me.

推荐答案

根据需要执行此操作将成为安全漏洞，因为尝试次数将成为html的一部分，因此任何人都可以对其进行更改(您不能需要特殊的工具，例如您可以使用chrome开发工具).因此，考虑到这一点，某些恶意用户可能使程序进行无数次尝试蛮力攻击的尝试.

Doing that as you want would become a security hole, as the number of attempts would be part of the html, so anyone could change it (you don't need special tools, you can do that with chrome dev tools for example). So with this in mind some malicious user could make a program to have infinite attempts to try a brute force attack.

为避免此安全漏洞，您可以使用以下方法之一:

To avoid this security gap you may use one of the following approaches:

• 存储会话中的尝试次数.我认为这是最简单的方法，因为您正在使用Struts2作为框架. 要在Struts2 Action中获得会话，您应该实现 SessionAware 接口. 另外，一旦用户成功登录，别忘了重置尝试的值.

• Store the number of attempts in the session. In my opinion this is the easiest way given that you're using Struts2 as your framework. To get the session in your Struts2 Action you should implement the SessionAware interface. Also, don't forget to reset the value of the attempts once the user has logged in successfuly.

一些开发人员不喜欢使用会话，因此他们使用数据库.就性能而言，这是一种比会话更好的方法，尤其是在您的网站拥有大量用户的情况下.

Some developers don't like using the session so they use a database. This is a better approach than the session in terms of performance, specially if your website has a high number of users.

另一种选择是使用Cookie或什至是隐藏参数，但要对其信息进行加密(例如，第一个是Ruby on Rails框架的方法).

Another option would be using the cookies or even a hidden parameter in a form but encrypting it's information (the first one is the aproach of the Ruby on Rails framework for example).

最佳选择取决于您项目的要求.我个人认为，除非使用某种支持它的框架或工具，否则不应使用最后一个选项.

The best choice depends on your project's requirements. In my own opinion you shouldn't use the last option unless you are using some framework or tool that gives support for it.

要在其他两个选项之间进行选择，一个好的指标将是您希望网站拥有的用户数量(如果您的网站数量很少或正在使用私人网站，则会话可能是一个更好的方法.数据库始终是很好，但所需的开发时间通常会更长，并且可能对可维护性有害一些.

To chose between the other two options a good indicator would be the amount of users you expect your website will have (if you have few or you're doing a private website the session may be a better aproach. The database is always fine but the development time needed is usually higher and it might be a little more harmful for maintainability).

当然，还有更多解决方案，但是我认为我已经介绍了最常见的解决方案.

Of course there are many more solutions for this but I think I have covered the most common.

这篇关于如何将用户转发到"resetPassword"如果用户使用无效的用户名&尝试登录超过3次，则显示页面密码(STRUTS2)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！