忘记密码场景 - 如何创建令牌 [英] Forgotten password scenario - how to create a token

问题描述

我想在 Web 应用程序中实现忘记密码的场景.系统将向用户发送一封电子邮件，其中包含一个唯一的 URL，用户可以点击该 URL 以允许他们重置密码.网上有很多关于这方面的指导.以下是一个很好的链接，建议如何实现这一点.为忘记密码"编写代码的最佳方式

I would like to implement a forgotten password scenario in an web application. The system will send out an email to the user containing a unique url that the user can hit to allow them to reset their password. There is loads of guidance on this online. The following is a good linke suggesting how to implement this. Best way of doing code for "Forgotten Password"

我不完全理解的部分是令牌生成.这是什么意思??这只是一个存储在服务器上的针对用户的 guid(或随机字符串)(可能在 users db 表中).guid 也在 url 中发送(作为查询字符串)，这样当请求到达 web 服务器时，它可以查找 guid 并找到要重置的用户帐户.还有比这更多的吗?许多人谈论令牌过期.我可以根据 guid 存储一个过期时间，在此之后无法完成帐户重置.

The part I do not understand fully is the token generation. What does this mean?? Is this just a guid (or random string) that is stored on the server against the user (maybe in the users db table). The guid is also sent in the url (as querystring) so that when the request hits the web server it can look the guid up and find which user account to reset. Is there more to it than this? Many people talk about token expiration. I could store an expiration time against the guid after which the account reset cannot be done.

有些人建议使用 CSRF 令牌，但我无法理解在这种情况下这将如何工作.

Some have suggested a CSRF token, but I cannot understand how this would work in this scenario.

任何指导将不胜感激... :)

Any guidance would be much appreciated... :)

推荐答案

存储一个随机生成的(至少)128 位服务器端令牌，连同用户名和到期日期，将工作得很好.

Storing a randomly generated token of (at least) 128 bits server-side, together with the username and an expiration date, will work perfectly fine.

实现相同目的的另一种方法(无需在服务器端存储任何内容)是计算

Another way to achieve the same (without having to store anything server-side) is computing

hash = hash(secret + user name + expiration date)

其中 + 表示合并，hash() 是加密安全的哈希函数(如 SHA2) 和 secret 是一个(至少)128 位的字符串，只有你知道，并且将此发送给用户:

where + denotes concenation, hash() is a cryptographically secure hash function (like SHA2) and secret is a string of (at least) 128 bits that is only known to you, and send this to the user:

user name + expiration date + hash

两种方法都实现了相同的安全性，但请注意 - 在令牌过期之前 - 用户可以多次更改其密码.

Both method achieve the same security, but note that - until the token expires - the user could change his password several times.

在第一种情况下，确保 token 是随机创建的(例如，如果您使用的是 linux，则使用 /dev/random).第二个中的 secret 也是如此.但是 secret 是静态的(不是为每个请求新生成的).

In the first case, make sure that token is created randomly (e.g. using /dev/random if you're on linux). The same goes for secret in the second. But secret is static (not newly generated for every request).

这篇关于忘记密码场景 - 如何创建令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！