什么是与现时电子邮件激活/注册/密码重置链接的最佳实践 [英] What are best practices for activation/registration/password-reset links in emails with nonce
问题描述
应用程序发送电子邮件,以验证用户帐户或重置密码。我相信下面是事情应该是这样,我要求引用和实现。
Applications send out emails to verify user accounts or reset a password. I believe the following is the way it should be and I am asking for references and implementations.
如果一个应用程序发送一个链接的电子邮件,以验证用户的地址,按照我的观点,该链接的链接和应用程序的处理应具有以下特点:
If an application has to send out a link in an email to verify the user's address, according to my view, the link and the application's processing of the link should have the following characteristics:
- 的链接包含现时在请求URI(
的http://主机/路径?现时
)。 - 在以下的链接(GET)中,用户是presented形式,任选地与随机数。
- 用户确认输入(POST)。
- 服务器接收请求,
- 检查输入参数,
- 执行的变化,
- 和无效的随机数。
- The link contains a nonce in the request URI (
http://host/path?nonce
). - On following the link (GET), the user is presented a form, optionally with the nonce.
- User confirms the input (POST).
- The server receives the request and
- checks input parameters,
- performs the change,
- and invalidates the nonce.
这应该是每对安全和幂等方法 HTTP RFC正确的。
This should be correct per HTTP RFC on Safe and Idempotent Methods.
的问题是,该方法涉及一个附加的页面或用户动作(第3项),这是由许多人认为是多余的(如果不是无用)。我有问题presenting这种方法同行和客户,所以我从更广泛的技术小组,要求输入这一点。我反对跳过后工序的唯一论据是从浏览器链接的可能pre加载。
The problem is that this process involves one additional page or user action (item 3), which is considered superfluous (if not useless) by a lot of people. I had problems presenting this approach to peers and customers, so I am asking for input on this from a broader technical group. The only argument I had against skipping the POST step was a possible pre-loading of the link from the browser.
- 是否有关于这个问题,可能更好地解释这个想法,并说服甚至非技术人员引用(最佳实践杂志,博客,...)?
- 是否有实现这个方法的参考网站(preferably受欢迎,拥有众多用户)?
- 如果不是,是否有文件证明或同等替代品?
感谢您,
KariemThank you,
Kariem
详细幸免
我遵守了主要部分的短,而是减少围绕我故意留下的细节太多的讨论,我会加几个假设:
I have kept the main part short, but to reduce too much discussion around the details which I had intentionally left out, I will add a few assumptions:
- 该电子邮件的内容不是本讨论的一部分。用户知道她必须点击链接来执行操作。如果用户没有反应,什么都不会发生,这也是公知的。
- 我们不必说明为什么我们邮寄的用户,也不是传播政策。我们假设用户希望收到电子邮件。
- 乱数有到期时间戳和直接与收件人的电子邮件地址,以减少重复相关联。
备注
通过OpenID和之类的,正常的Web应用程序从执行标准用户帐户管理(密码,电子邮件...)松了一口气,但还是有些客户希望'的自己的用户的
With OpenID and the like, normal web applications are relieved from implementing standard user account management (password, email ...), but still some customers want 'their own users'
奇怪的是我还没有找到一个满意的问题,但也不回答在这里。我迄今发现的:
Strangely enough I haven't found a satisfying question nor answer here yet. What I have found so far:
推荐答案
这问题很相似,<一个href=\"http://stackoverflow.com/questions/938031/implementing-secure-unique-single-use-activation-urls-in-asp-net-c/938076#938076\">Implementing安全,独特的一次性使用激活的网址在ASP.NET(C#)。
我的回答有接近你的方案中,有几个问题,指出了 - 比如有效期短的时间内,处理双注册,等结果
您使用的密码现时也很重要,很多倾向于跳过 - 例如让刚刚使用GUID...My answer there is close to your scheme, with a few issues pointed out - such as short period of validity, handling double signups, etc.
Your use of a cryptographic nonce is also important, that many tend to skip over - e.g. "lets just use a GUID"...一个新的起点,你提高了,这是这里重要的是WRT GET的幂等。结果
虽然我与你一般的意图一致,其明确表示幂等是直接矛盾的一次性链接,这在某些情况下,像这样的必需品。One new point that you do raise, and this is important here, is wrt the idempotency of GET.
Whilst I agree with your general intent, its clear that idempotency is in direct contradiction to one-time links, which is a necessity in some situations such as this.我本来希望断定这并不能真正违反GET的idempotentness,但不幸的是它...在另一方面,RFC说GET 应该幂等,其不是必须的。所以,我要说放弃它在这种情况下,坚持一次性自动失效链接。
I would have liked to posit that this doesn't really violate the idempotentness of the GET, but unfortunately it does... On the other hand, the RFC says GET SHOULD be idempotent, its not a MUST. So I would say forgo it in this case, and stick to the one-time auto-invalidated links.
如果您的真正的要瞄准严格符合RFC标准,并没有进入非幂等入眼,你可以有GET页面自动提交POST - 种漏洞左右RFC的那一点,但是合法的,而且你不要求用户双重选择启用,而你不缠着他......
If you really want to aim for strict RFC compliance, and not get into non-idempotent(?) GETs, you can have the GET page auto-submit the POST - kind of a loophole around that bit of the RFC, but legit, and you dont require the user to double-optin, and you're not bugging him...
您真的不担心preloading(你talkng约CSRF,或者浏览器的优化?)... CSRF是无用的,因为现时标志,并优化通常不会处理的JavaScript(使用自动提交)在preloaded页面上。
You dont really have to worry about preloading (are you talkng about CSRF, or browser-optimizers?)... CSRF is useless because of the nonce, and optimizers usually wont process javascript (used to auto-submit) on the preloaded page.
这篇关于什么是与现时电子邮件激活/注册/密码重置链接的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!