做code为＆QUOT的最佳途径;忘记密码＆QUOT; [英] Best way of doing code for "Forgotten Password"

问题描述

网的网站，我想实现忘记的密码。我使用下列步骤

net website, i would like to implement forget password. I am using following steps

1. 形成的登录ID和电子邮件Id和验证码的输入框


2. 当用户输入详细信息并提交，在后台之后，产生的验证新的密码，并在数据库取代旧密码。


3. 新passowrd被发送给用户的电子邮件时

请帮助我，我是否在做正确与否？

Please help me whether i am doing right or not?

是否有相同的其他安全机制？

Is there any other secure mechanism for the same?

谢谢，我得到你的答复。确实，这是一个安全的机制。但在这里我有几个疑问

Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt

1. 要显示给用户什么信息我当他忘记的密码页面中输入登录ID和电子邮件地址？


2. 消息是否会同样的有效用户和用户mallicious？

使用CSRF令牌
3. 的优势？任何帮助/链接


4. 当链路用户点击那么我应该怎么做;因为正如我猜测用户​​应该自动洛到他们的帐户 - 然后之后，我有2个选择（第一）自动发送新密码的用户（第二次）的新形式将会显示用户在那里用户将enetr旧密码和新密码两次？

请帮忙？

推荐答案

我可以看到为什么你要一个CAPTCHA，但我会采取不同的方法。

I can see why you'd want a CAPTCHA, but I'd take a different approach.

1. 当密码重置请求检查复位尚未要求该帐户在过去的 X 的分钟。如果密码已经被要求忽略复位请求。


2. 检查IP请求重置密码。如果IP已请求在最近的是的分钟忽略请求重置密码。


3. 如果在1安培的检查; 2通过检查帐户存在。如果不忽略该请求。


4. 如果我们已经得到了这一步生成一个一次性令牌，这在以Z 的分钟，其中包含此令牌密码重置网址过期。通过电子邮件发送给注册的电子邮件地址。当网址加载提示输入新密码，并重新设置。

1. When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
2. Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
3. If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
4. If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.

对于那些谁认为你应该告诉那里的电子邮件已经我强烈反对用户。这就是信息泄露，即使你限制它的域名。例如说我注册的JeffAtwoodEatsBabies.com为blowdart。如果杰夫曾要求对我来说是密码重置，并显示出你的注册域名，然后他会看到idunno.org。这是我的个人域名，因此杰夫就知道blowdart用户，其实我。这是一个坏人坏事的事情。我不应该为了保护自己从code显示电子邮件域向所有人使用Gmail或Hotmail或任何注册。

For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.

此外，您不应该在显示所有错误消息。不管发生什么事，一个用户名实际上不注册，或者过多的请求已作出或天空已经下降，你应该告诉的密码重置过程已启动用户。通知用户的帐户不存在更多的信息泄露。

In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.

您可以做的最后一件事就是添加一个CSRF令牌来复位请求页面，所以它不能从其他网站驱动。

One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.

的跟进的

因此​​，要回答你的其他问题。

So to answer your further questions.

1. 您展示什么样的信息给你。 重设密码说明已通过电子邮件发送到注册电子邮件此帐户是一个想法，但实际上它是到你的听众。


2. 上面已经解决。


3. 维基百科是一个很好的起点。你怎么做取决于您的平台，是一个完整的另一个问题！对于ASP.NET你可以看看我的codePLEX项目， HTTP：//anticsrf.$c$cplex.com 还是看<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx\">ViewStateUserKey.


4. 当链接被点击我会先验证令牌反对它被应用到那么我要么允许用户输入新的密码，或生成一个新的，通过电子邮件发送的用户名的URL。你不能提示输入旧的，因为整个的一点是用户忘记了！

1. What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
2. Already addressed above.
3. Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
4. When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!

这篇关于做code为＆QUOT的最佳途径;忘记密码＆QUOT;的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！