I'm new to authentication with websites, and I've been doing a lot of reading on the different kinds of user authentication (for example session vs token authentication) you can use. However, a lot of it seems more than what I need, and I'm not sure which ones will be suitable for my cause.
我是网站认证的新手,我一直在阅读你可以使用的各种用户认证(例如会话与令牌认证)。然而,很多看起来比我需要的更多,而且我不确定哪些适合我的事业。
My idea is to generate temporary user accounts and passwords that will expire after the first use. I want this integrated with my website, so they have one chance to view restricted pages, after which they will not allowed access to those parts again (unless provided with new credentials).
我的想法是生成临时用户帐户和密码,这些帐户和密码将在首次使用后过期。我希望这与我的网站集成,因此他们有一次机会查看受限制的页面,之后他们将不再允许再访问这些部分(除非提供新的凭据)。
Any direction in the right step will be appreciated.
正确的步骤中的任何方向将不胜感激。
Update: I'm using Javascript(Node) as my server side language
更新:我使用Javascript(Node)作为我的服务器端语言
1 个解决方案
#1
1
Session-based authentication is actually incredibly lightweight if you're using a Node backend, due to most (if not all) webserver libraries supporting "middleware", which modify requests before they hit your route functions. The Express-compatable middleware client-sessions is fantastic for this, and I used it previously in a project with great success. It adds a cookie on the first request a user makes to your site which identifies them, and if at some point they log in, you can flag that session as authenticated, store session information, and other data related to them specifically.
如果您使用Node后端,基于会话的身份验证实际上非常轻量级,因为大多数(如果不是全部)支持“中间件”的Web服务器库会在请求到达您的路由功能之前对其进行修改。可与Express兼容的中间件客户端会话非常棒,我之前在项目中使用它非常成功。它会在用户向您的站点发出的第一个请求中添加一个cookie来识别它们,如果他们在某个时刻登录,您可以将该会话标记为已通过身份验证,存储会话信息以及与其相关的其他数据。
Assuming you want both login & logout, the simplest way would to be to use POSTs over HTTPS to login & logout routes. Inside of the resolution for the login route, you would simply "mark for deletion" inside whatever database you're working with.
假设您需要登录和注销,最简单的方法是使用HTTPS上的POST来登录和注销路由。在登录路径的分辨率内部,您只需在您正在使用的数据库中“标记删除”。
An example might look like this:
示例可能如下所示:
var app = express();
function authenticate(user, pw){
//do your application specific login verification here
}
function deleteAccount(user){
//do your application specific user removal here
}
app.use(require("express-session")({
secret : "YOUR-SECRET-KEY-HERE"
cookieName : "Session"
//any other desired config options go here
})
app.post("/login", function(req, res){
var user = req.body.user;
var pw = req.body.pw;
req.Session.isAuthenticated = authenticate(user, pw)
if(req.Session.isAuthenticated){
markForDeletion(user, pw);
}
res.write("logged in as: " + user);
res.end();
});
app.post("/logout", function(req, res){
deleteAccount(req.Session.username);
req.Session.username = "";
req.Session.isAuthenticated = false;
res.write("logged out!");
res.end();
});
#1
1
Session-based authentication is actually incredibly lightweight if you're using a Node backend, due to most (if not all) webserver libraries supporting "middleware", which modify requests before they hit your route functions. The Express-compatable middleware client-sessions is fantastic for this, and I used it previously in a project with great success. It adds a cookie on the first request a user makes to your site which identifies them, and if at some point they log in, you can flag that session as authenticated, store session information, and other data related to them specifically.
如果您使用Node后端,基于会话的身份验证实际上非常轻量级,因为大多数(如果不是全部)支持“中间件”的Web服务器库会在请求到达您的路由功能之前对其进行修改。可与Express兼容的中间件客户端会话非常棒,我之前在项目中使用它非常成功。它会在用户向您的站点发出的第一个请求中添加一个cookie来识别它们,如果他们在某个时刻登录,您可以将该会话标记为已通过身份验证,存储会话信息以及与其相关的其他数据。
Assuming you want both login & logout, the simplest way would to be to use POSTs over HTTPS to login & logout routes. Inside of the resolution for the login route, you would simply "mark for deletion" inside whatever database you're working with.
假设您需要登录和注销,最简单的方法是使用HTTPS上的POST来登录和注销路由。在登录路径的分辨率内部,您只需在您正在使用的数据库中“标记删除”。
An example might look like this:
示例可能如下所示:
var app = express();
function authenticate(user, pw){
//do your application specific login verification here
}
function deleteAccount(user){
//do your application specific user removal here
}
app.use(require("express-session")({
secret : "YOUR-SECRET-KEY-HERE"
cookieName : "Session"
//any other desired config options go here
})
app.post("/login", function(req, res){
var user = req.body.user;
var pw = req.body.pw;
req.Session.isAuthenticated = authenticate(user, pw)
if(req.Session.isAuthenticated){
markForDeletion(user, pw);
}
res.write("logged in as: " + user);
res.end();
});
app.post("/logout", function(req, res){
deleteAccount(req.Session.username);
req.Session.username = "";
req.Session.isAuthenticated = false;
res.write("logged out!");
res.end();
});