JavaScript/PHP 注册电子邮件确认工作流的安全注意事项 [英] Security considerations for JavaScript/PHP registration email confirmation workflow

问题描述

我正在为我的 JavaScript/PHP 网站构建用户注册工作流程.一旦用户注册，他们就会被添加到数据库中(处于非活动状态).然后，用户将收到一封确认电子邮件，要求他们点击确认链接.

I am building a user registration workflow for my JavaScript/PHP website. Once the user registers, they are added into a database (with an inactive status). The user will then receive an email confirmation, which requires them to click on a confirmation link.

目前，确认链接会将用户重定向到网站登录页面，确认代码作为 URL 参数.文档准备好后，JavaScript 将从 URL 中提取确认代码并将其提交给 PHP 后端.如果代码有效，则用户在数据库中的状态升级为活动状态.

Currently, the confirmation link will redirect the user to the site log-in page with the confirmation code as URL parameter. On document ready, the JavaScript will pull the confirmation code from the URL and submit it to the PHP back-end. If the code is valid, then the user status is upgraded to active in the database.

从安全的角度来看，确认链接直接导航到 PHP，然后 PHP 可以将用户重定向回网站是否更好?最佳做法是什么?

From a security standpoint, is it better for the confirmation link to navigate directly to the PHP, and then the PHP can redirect the user back to the website? What is the best practice?

推荐答案

我认为您如何操作并不重要，只要您仍在验证安全代码即可.如果您真的愿意，您可以仅使用 PHP 来实现.

I don't think it matters all that much how you do it, as long as you are still validating the security code. You can do that with just PHP, if you really wanted to.

将用户发送到例如/verify.php?key=123456，并在您的页面上:

Send the user to e.g. /verify.php?key=123456, and on your page:

if (isset($_GET['key']))
{
    $key = $_GET['key'];
    // TODO: Perform validation on $key
    // TODO: Do whatever you are already doing to list the user's email as valid.
}

这篇关于JavaScript/PHP 注册电子邮件确认工作流的安全注意事项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！