douxian8883 2014-09-30 14:23
浏览 27

Web应用程序登录系统

I am using revel to build my webapplication and trying to write authentication module. I finished with sign up part and now heading to write sign in part. I read about security part on The definitive guide to form-based website authentication and will use this recommendation.

What I am really do not know is, how sign in works. I am imaging that the process works like this:

  1. User write username and password into the html form and press sign in
  2. Server receive request and the controller will check, if user information match with data on database.
  3. If yes, how continue.

The third point is where I am staying. But I have some idea how could works and not sure, if is the right way.

So when sign in information match with the database, I would set in session object(hash datatype) key value pair signed_in: true. Everytime when the user make a request to the webapplication, that need to be authenticated, I would look in the session object, if signed_in is true or not.

This is the way I would do, but as I mentioned above, I do not know if it is the right way.

  • 写回答

1条回答 默认 最新

  • dongluan7821 2014-09-30 20:07
    关注

    Yes like @twotwotwo mentioned, give it the user id and also a role.

    So server side rendered flow: Step 1

    • user sends username (or other identifier) and secret.
    • using scrypt or bcrypt the secret is checked against the stored salted hash in the database
    • if it matches you create a struct or a map
    • serialize struct or map into string (json, msgpack, gob)
    • encrypt the string with AES https://github.com/gomango/utility/blob/master/crypto.go (for instance). Set a global AES key.
    • create a unique cookie (or session) identifier (key)
    • store identifier and raw struct or map in database
    • send encrypted cookie out (id = encrypted_struct_or_map aka the encrypted string)

    On a protected resource (or page): Step 2

    • read identifier from cookie
    • check if id exists in db
    • decode cookie value using AES key
    • compare values from cookie with stored values
    • if user.role == "allowed_to_access_this_resource" render page
    • otherwise http.ResponseWriter.WriteHeader(403) or redirect to login page

    Now if you wanted you could also have an application-wide rsa key and before encrypting the cookie value sign the string with the rsa private key (in Step 1). In Step 2 decode with AES key, check if signature valid, then compare content to db stored content.

    On any changes you have to update the cookie values (struct/map) and the info in the database.

    评论

报告相同问题?

悬赏问题

  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?