关于用户名/密码与秘密 URL 的安全问题 [英] Security concerns regarding username / password vs secret URL

问题描述

我有一个带有注册表单的简单网站.目前，用户可以通过个人(秘密)网址，使用注册时不可用的(非关键、低安全性")信息来补充他们的注册.

I have a simple site with a sign-up form. Currently the user can complement their registration with (non-critical, "low security") information not available at the time of the sign-up, through a personal (secret) URL.

即，一旦他们点击提交，他们会收到如下消息:

I.e., once they click submit, they get a message like:

感谢您的注册.您可以通过以下个人网址添加信息来补充您的注册:

     http://www.example.com/extra_info/cwm8iue2gi

Thanks for signing up. You can complement your registration by adding information through this personal URL:

      http://www.example.com/extra_info/cwm8iue2gi

现在，我的客户要求我扩展应用程序以允许用户完全更改他们的注册，包括更敏感的信息，例如帐单邮寄地址等.

Now, my client asks me to extend the application to allow users to change their registration completely, including more sensitive information such as billing address etc.

我的问题:使用秘密 URL 而不是完整的用户名/密码系统是否存在任何安全问题?

我能想到的唯一问题是 URL 存储在浏览器历史记录中.不过，这并不让我担心.我错过了什么吗?

The only concern I can come up with is that URLs are stored in the browser history. This doesn't worry me much though. Am I missing something?

如果有人更改了其他一些用户的注册信息，这并不是世界末日.(这只会涉及一些额外的体力劳动.)我不会详细介绍为此应用程序设置 https 的范围.

It's not the end of the world if someone changes some other users registration info. (It would just involve some extra manual labor.) I will not go through the extent of setting up https for this application.

推荐答案

另一个潜在的问题在于用户本身.大多数人都意识到密码是他们应该尝试保护的东西.但是，有多少用户可能会意识到他们应该做出某种努力来保护您的秘密网址?

Another potential problem lies with the users themselves. Most folks realize that a password is something they should try to protect. However, how many users are likely to recognize that they ought to be making some sort of effort to protect your secret URL?

这篇关于关于用户名/密码与秘密 URL 的安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！