标签云

微信群

扫码加入我们

WeChat QR Code

Form-based authentication for websites

We believe that Stack Overflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form based authentication for websites" should be a fine topic for such an experiment.

It should include topics such as:

  • How to log in
  • How to log out
  • How to remain logged in
  • Managing cookies (including recommended settings)
  • SSL/HTTPS encryption
  • How to store passwords
  • Using secret questions
  • Forgotten username/password functionality
  • Use of nonces to prevent cross-site request forgeries (CSRF)
  • OpenID
  • "Remember me" checkbox
  • Browser autocompletion of usernames and passwords
  • Secret URLs (public URL protected by digest)
  • Checking password strength
  • E-mail validation
  • and much more about form based authentication...

It should not include things like:

  • Roles and authorization
  • HTTP basic authentication

Please help us by:

  1. Suggesting subtopics
  2. Submitting good articles about this subject
  3. Editing the official answer


Why exclude HTTP Basic Authentication? It can work in HTML Forms via Ajax: peej.co.uk/articles/http-auth-with-html-forms.html

2018年07月23日25分31秒

HTTP Basic Auth has the property of being (comparatively) difficult to make a browser forget. It's also horribly insecure if you don't use it with SSL to secure the connection (i.e., HTTPS).

2018年07月23日25分31秒

I think it'd be worth talking about sessions (including fixation and hijacking) cookies (the secure and http only flags) HTTP based SSO

2018年07月23日25分31秒

The super-useful HttpOnly cookie flag, which prevents JavaScript-based cookie theft (a subset of XSS attacks), should be mentioned somewhere too.

2018年07月23日25分31秒

Wow. Lengthy answers, dozens of upvotes for some of them, yet nobody mentions the common mistake of serving login forms over HTTP. I've even argued with people who said "but it submits to https://..." and only got blank stares when I asked if they were sure an attacker didn't rewrite the non-encrypted page the form was served over.

2018年07月23日25分31秒

Well, I don't really agree with the Captcha part, yes Captchas are annoying and they can be broken (except recaptcha but this is barely solvable by humans!) but this is exactly like saying don't use a spam filter because it has less than 0.1% false negatives .. this very site uses Captchas, they are not perfect but they cut a considerable amount of spam and there's simply no good alternative to them

2018年07月23日25分31秒

Jeff: I'm sorry to hear that you have issues with my reply. I didn't know there was a debate on Meta about this answer, I would have gladly edited it myself if you'd asked me to. And deleting my posts just deleted 1200 reputation from my account, which hurts :(

2018年07月23日25分31秒

"After sending the authentication tokens, the system needs a way to remember that you have been authenticated - this fact should only ever be stored serverside in the session data. A cookie can be used to reference the session data." Not quite. You can (and should, for stateless servers!) use a cryptographically signed cookie. That's impossible to forge, doesn't tie up server resources, and doesn't need sticky sessions or other shenanigans.

2018年07月23日25分31秒

"a desktop PC can search the FULL KEYSPACE up to 7 characters in less than 90 days" A machine with a recent GPU can search the full 7 char keyspace in less than 1 day. A top of the line GPU can manage 1 billion hashes per second. golubev.com/hashgpu.htm This leads to some conclusions about password storage which aren't directly addressed.

2018年07月23日25分31秒

I'm surprised CSRF protection hasn't been mentioned...

1970年01月01日00分03秒

Given the recent MITM vulnerability surrounding signed SSL certificates (blog.startcom.org/?p=145) so a combination of SSL and some kind of Challenge response authentication (There are alternatives to SRP) is probably a better solution.

2018年07月23日25分31秒

a lot of this stuff is situational. i tend not to use session cookies at all. cookies getting hijacked is almost always the servers fault. man in the middle / packet sniffing arent that common

2018年07月23日25分31秒

BCrypt Nuget package : nuget.org/List/Packages/BCrypt

2018年07月24日25分31秒

Note 1 about this answer: it is a draft, to be edited as a wiki. If you can edit this, you're welcome to.

2018年07月23日25分31秒

BrowserID link is dead

2018年07月24日25分31秒

The project seems to have been mothballed.... see en.wikipedia.org/wiki/Mozilla_Persona

2018年07月23日25分31秒

This is a useful anti-spam trick, but I would suggest using a field name other than 'email', or you may find that browser auto-fill's fill it in, inadvertently blocking genuine users of your site.

2018年07月23日25分31秒

I also have several more of these using visibility:hidden and also position:absolute;top:-9000px you can also do text-indent and also z-index on a few of these elements and place them in compressed CSS file names with awkward names - since bots can detect 1display:none` and they now check for a range of combinations - I actually use these methods and they're old tricks of the trade. +1

2018年07月23日25分31秒

What happens when a user with a vision impairment is using a screenreader to navigate the form?

2018年07月23日25分31秒

This technique has a name: the honeypot en.wikipedia.org/wiki/Honeypot_(computing)

2018年07月23日25分31秒

No need for inline styling. Just add a class to the field (maybe use a weird word that could never mean anything to a bot), and hide it via the site's CSS file. Like: <input type="text" name="email" class="cucaracha"> and in your CSS: .cucaracha { display:none; }.

2018年07月23日25分31秒

Hard to tell which answer you are talking about in 'I do not think the above answer is "wrong"'

2018年07月23日25分31秒

SHA-512 is also fast, so you need thousands of iterations.

2018年07月23日25分31秒

"dont use fast hash algorithms... slower hashes are better" - Explanation? Documentation?

2018年07月23日25分31秒

Explanation: The faster you can create hashes, the faster any brute force checker can work. Slower hashes will therefore slow down brute forcing. A slow hash algorithm will make brute forcing impractical for longer passwords (8 digits +)

2018年07月23日25分31秒

More like something like bcrypt which is designed to hash slowly.

2018年07月23日25分31秒

A simple link in an email isn't actually secure, since email is not secure.

2018年07月23日25分31秒

It is as secure as any other token based password reset system that is not two-factor though. Which is almost all of them.

2018年07月23日25分31秒

Did you fell in the punctuation well as a child? :) I've read it three times and I am still lost at what point you are trying to make. But if you are saying "Sometimes you do not need form based authentication" then you are right. But considering we are discussing when we do need it, I dont see why this is very important to note?

2018年07月23日25分31秒

My point is that the world outside a corporation is entirely different from the world inside. If you are building an app that is accessible to the "wooly wide web," and for general consumption by the public, then you have no choice but to roll your own authentication and authorization methods. But, inside a corporation, where the only way to get there is to be there or to use VPN, then it is very likely that the application will not have – must not have – "its own" methods for doing these things. The app must use these methods instead, to provide consistent, centralized management.

2018年07月23日25分31秒

Even intranets require a minimum amount of security in the building. Sales has confidential profit and loss numbers, while engineering has confidential intellectual property. Many companies restrict data across departmental or divisional lines.

2018年07月23日25分31秒