这是一个合理的用户注册过程吗? [英] Is this a reasonable user registration process?
问题描述
我正在为内部申请进行注册流程.我的初始设计如下.
我的主要问题是是否真的需要包含registration_confirmation_code
.它会保护应用程序免受现实威胁还是只是增加不必要的复杂性?我不确定.
-
用户输入电子邮件地址.由于这是内部应用程序,因此必须是代理商地址.
-
如果这是有效的代理商地址,则应用会在users表中创建新行.
-
该表具有一列
registration_confirmed
,默认情况下该列为false
.除非registration_confirmed
是true
,否则应用程序将不允许用户登录. -
表中的列
registration_confirmation_code
是随机生成的字符串.
-
-
App向用户输入的地址发送电子邮件.它包含指向页面的链接,该页面将允许用户确认注册并设置用户名和密码.
该链接在查询字符串中包含用户的
id
和registration_confirmation_code
:http://agencydomain.com/users?id=123®istration_confirmation_code=fab49dk34nw97d
-
通过单击链接,用户可以验证输入的地址是否有效,并且可以访问该地址.
-
应用程序通过ID查找用户.在允许他们访问可以设置用户名和密码的页面之前,该应用会检查...
-
registration_confirmed
是false
.他们只能确认一次注册. -
registration_confirmation_code
请求参数与该用户在数据库中的值匹配.这样可以确保这是目标用户的合法注册确认,而不是其他人使用随机ID尝试试图劫持注册的URL.
-
-
如果一切都签出,应用程序会将其带到带有用于设置用户名和密码的表单的页面.
-
当他们提交带有有效数据的表单时,应用会将
registration_confirmed
设置为true
并进行注册.
验证来自访客的任何输入是一种很好的做法.经验法则是始终确保您得到的是您所期望的,而没有别的.我想说您做得很好,包括电子邮件验证.
一个小问题;为什么要分两个步骤进行?为什么不允许用户立即输入密码?通常,这会使用户感到舒适.
此外,您可能要考虑使用用户电子邮件地址的MD5哈希(或类似内容),而不是使用registration_confirmation_code.这样,您就不需要多余的字段,并且您甚至可以根据需要省略ID.
-戴夫
I'm working on a registration process for an internal application. My initial design is below.
My main question is whether it's really necessary to include a registration_confirmation_code
. Does it protect the app from a realistic threat or just add unnecessary complexity? I'm not sure about that.
User enters email address. Since this is an internal app, it has to be an agency address.
If it's a valid agency address, app creates a new row in the users table.
The table has a column
registration_confirmed
which isfalse
by default. App won't let a user log in unlessregistration_confirmed
istrue
.The table has a column
registration_confirmation_code
which is a randomly-generated string.
App sends an email to the address the user entered. It contains a link to a page that will let the user confirm their registration and set their username and password.
The link has the user's
id
andregistration_confirmation_code
in the query string:http://agencydomain.com/users?id=123®istration_confirmation_code=fab49dk34nw97d
By clicking on the link the user verifies that the address they entered is valid and that they have access to it.
The app finds the user by ID. Before allowing them to visit the page where they can set their username and password, the app checks that...
registration_confirmed
isfalse
. They should only be able to confirm their registration once.registration_confirmation_code
request param matches the value in the DB for that user. That ensures this is a legitimate registration confirmation by the intended user and not someone else hitting the URL with random IDs trying to hijack a registration.
If everything checks out, the app takes them to a page with a form for setting their username and password.
When they submit the form with valid data, app sets
registration_confirmed
totrue
and they are registered.
It's a good practice to verify any kind of input you receive from a visitor. Rule of thumb is to always make sure you're getting what you expect, and nothing else. I'd say you're doing it well, including email verification.
A small question though; why make it a two-step process? why not allow the user to enter a password right away? This usually feels much more comfortable for the user.
Also, instead of using registration_confirmation_code, you might want to consider using a MD5 hash (or the like) of the users' email address. That way, you don't need the extra field, and you can even leave out the ID if you like.
-Dave
这篇关于这是一个合理的用户注册过程吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!