如何保护注册页面免受多个恶意请求的侵害? [英] How to protect registration page from multiple malicious requests?
问题描述
我允许用户使用注册表在我的网站上注册。
提交表单后,将生成令牌并通过电子邮件发送给用户,他们需要单击令牌链接以激活其帐户。
I allow users to register on my website using a registration form. Once form is submitted a token will be generated and will be sent by email to user, they need to click on the token link to activate their account.
我的问题是,如果我这样做,恶意代码仍可以发送多个电子邮件到我的网站进行注册,如果我使用Captcha保护网站或有任何其他方法?
My question is that if I do it, do the malicious codes can still send multiple emails to my website to register, should I use Captcha to protect the website or there is any other method ?
推荐答案
如果你想要的只是阻止双重提交,你可以生成一个您在提交时检查的表单的唯一标记。如果每页有多个表单,这需要一些思考。另外,一个简单的方法是在提交时禁用表单/按钮。如果表单是通过Ajax提交的,那么这会更有效(因此表单的action参数可能不存在,因此不易收集)。
If all you want is to prevent double submissions, you can generate a unique token for the form that you check on submission. This requires some thought if there are multiple forms per page. Also, a simple method is to just disable the form/button on submission. This is even more effective if the form is submitted via Ajax (so that the action parameter of the form can be absent and thus not easily harvestable).
如果你想要阻止自动提交(通过机器人),虽然Captcha可能是常用方法中最强大的,但它也是非常用户敌意的。相反,除非你有理由相信你的网站是专门针对的,否则通常只需使用蜜罐字段(人类永远不会填充的隐形字段,但机器人会这样做)和隐藏的字段,你用已知的填充使用JS后短暂延迟后的值(机器人通常不会执行JS,也不会花时间键入像人类这样的字段)。简单地做Ajax提交通常就足够了。我建议在回到Captcha之前使用这些方法中的一种或多种方法。
If you want to prevent automatic submissions (by bots), while Captcha is probably the strongest of the common methods, it is also very user-hostile. Instead, unless you have a reason to believe your site is being specifically targeted, it is usually enough to just use honey-pot fields (invisible fields that a human would never fill but a bot would) and hidden fields that you fill with a known value after a short delay using JS (a bot wouldn't normally execute JS nor take time to type into fields like a human). Simply doing an Ajax submission is also usually enough. I recommend using one or a mixture of these methods before falling back to Captcha.
这篇关于如何保护注册页面免受多个恶意请求的侵害?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
