From this question I really like @woliveirajr's answer because it solves:
从这个问题我非常喜欢@ woliveirajr的答案,因为它解决了:
- how to protect against releasing e-mail addresses used on a website
- verifies the owner of the e-mail address
如何防止发布网站上使用的电子邮件地址
验证电子邮件地址的所有者
To avoid this kind of leak, you could also begin the registration process by asking for the e-mail. After entering it, you would send an e-mail with a link so that the user could continue with the registration process. If the e-mail was already registered, you would send an e-mail saying that.
为了避免这种泄漏,您还可以通过询问电子邮件开始注册过程。输入后,您将发送带有链接的电子邮件,以便用户可以继续注册过程。如果电子邮件已经注册,您将发送一封电子邮件说明。
That way, only the owner of the e-mail could register.
这样,只有电子邮件的所有者才能注册。
Drawbacks:
- probably the real, common users will get bored by having so much steps to register.
可能真正的普通用户会因为有如此多的注册步骤而感到无聊。
- in very few cases simple revealing that an e-mail is already registered in a site is a problem, specially because it's easy to register at any site providing any e-mail that you want. You'll just won't receive the e-mail to activate your account, but in general the site will link the account / username to that e-mail.
在极少数情况下,简单地揭示电子邮件已经在网站中注册是一个问题,特别是因为它很容易在任何提供您想要的电子邮件的网站上注册。您将不会收到激活您帐户的电子邮件,但一般情况下,该网站会将帐户/用户名链接到该电子邮件。
Where I'm uncertain is how to implement a system where a user can only access the registration page when they click on a link from an e-mail. Would the registration page retrieve data passed to it using GET and verify "a code" to know whether or not the user can register, and this code changes every 30 minutes? For example, the e-mailed registration link could be mysite.com/register.php?secretcode=as18d and register.php checks "the code" as18d but this code would change every 30 minutes. Is this the idea? Would the code be generated by a salted hash based on the system time?
我不确定的是如何实现一个系统,用户只有在点击电子邮件链接时才能访问注册页面。注册页面是否会检索使用GET传递给它的数据并验证“代码”以了解用户是否可以注册,并且此代码每30分钟更改一次?例如,电子邮件注册链接可以是mysite.com/register.php?secretcode=as18d,register.php检查“代码”为18d,但此代码每30分钟更改一次。这是个主意吗?代码是否会根据系统时间由salted哈希生成?
Or, instead of e-mail a link with a few letters could be e-mailed which the user enters into the registration page to authenticate, kind of like how captures work but not really.
或者,可以通过电子邮件发送用户进入注册页面进行身份验证的电子邮件,而不是电子邮件,有点像捕获工作但不是真的。
2 个解决方案
#1
0
The general approach to this is to use an unguessable token, such as a GUID that is embedded in the link so that it gets submitted with the GET. This should be secure since it is highly statistically unlikely that someone will randomly guess a GUID for any user regardless of the time they spend trying to guess, thus expiration isn't even really necessary.
对此的一般方法是使用不可授权的令牌,例如链接中嵌入的GUID,以便通过GET提交。这应该是安全的,因为在高度统计上,有人会随机猜测任何用户的GUID,无论他们花费多少时间尝试猜测,因此甚至不需要到期。
It is worth noting this should be done over an SSL link to avoid the possibility of a man in the middle compromising the verification process.
值得注意的是,这应该通过SSL链接来完成,以避免中间人破坏验证过程的可能性。
#2
0
There's no way on the server side to guarantee that an HTTP request came from an link in an email message. You can't trust anything from the client side; it can all be spoofed and manipulated.
服务器端无法保证HTTP请求来自电子邮件中的链接。你不能相信客户方面的任何事情;它都可以被欺骗和操纵。
What you need is a hard to guess token. Long and random are good starting points.
你需要的是一个难以猜测的令牌。长而随机是很好的起点。
Disagree with AJ on expiration for several reasons.
出于几个原因,在过期时不同意AJ。
- If your user db gets large, you don't want to track un-used tokens for years and years.
- If someone requests an activation token and doesn't use it after a few days, it's unlikely they will. Might as well remove it.
如果您的用户数据库变大,您不希望多年和多年跟踪未使用的令牌。
如果有人请求激活令牌并且几天后不使用它,那么他们就不太可能。不妨删除它。
#1
0
The general approach to this is to use an unguessable token, such as a GUID that is embedded in the link so that it gets submitted with the GET. This should be secure since it is highly statistically unlikely that someone will randomly guess a GUID for any user regardless of the time they spend trying to guess, thus expiration isn't even really necessary.
对此的一般方法是使用不可授权的令牌,例如链接中嵌入的GUID,以便通过GET提交。这应该是安全的,因为在高度统计上,有人会随机猜测任何用户的GUID,无论他们花费多少时间尝试猜测,因此甚至不需要到期。
It is worth noting this should be done over an SSL link to avoid the possibility of a man in the middle compromising the verification process.
值得注意的是,这应该通过SSL链接来完成,以避免中间人破坏验证过程的可能性。
#2
0
There's no way on the server side to guarantee that an HTTP request came from an link in an email message. You can't trust anything from the client side; it can all be spoofed and manipulated.
服务器端无法保证HTTP请求来自电子邮件中的链接。你不能相信客户方面的任何事情;它都可以被欺骗和操纵。
What you need is a hard to guess token. Long and random are good starting points.
你需要的是一个难以猜测的令牌。长而随机是很好的起点。
Disagree with AJ on expiration for several reasons.
出于几个原因,在过期时不同意AJ。
- If your user db gets large, you don't want to track un-used tokens for years and years.
- If someone requests an activation token and doesn't use it after a few days, it's unlikely they will. Might as well remove it.
如果您的用户数据库变大,您不希望多年和多年跟踪未使用的令牌。
如果有人请求激活令牌并且几天后不使用它,那么他们就不太可能。不妨删除它。