开发者

How do I secure user registration?

开发者 https://www.devze.com 2022-12-08 19:38 出处:网络
What is the most secure way of registering new users? I know SSL is a good pick. But can I have SSL on user registration only?

What is the most secure way of registering new users?

I know SSL is a good pick. But can I have SSL on user registration only?

Take Wordpress for example. User registration is at http://en.wordpress.com/signup/. And the user registration form is sent to https://en.wordpress.com/wp-login.php.

The same goes for login.

How can I make just registratio开发者_运维知识库n / and login use SSL ? I don't want SSL for any other parts of the site (yet).


My recommendation would be to use SSL for the page that contains the login/signup form, as well as for the page that is being posted to. Using SSL only for the posted-to page is already very good, but if you want to add more protection then the form-containing page should be served over an authenticated channel.

This is to guard, of course, against the possible (even if, perhaps, unprobable) modification of the form-containing page by an adversary; but what may be more important is that it would make the user aware that their personal information is being kept secret, before they actually have to submit that information. If you have SSL only for the posted-to page, the user may not have a way of telling whether their personal details will go over a secure channel.


Like @Inshallah mentions, links to the http://en.wordpress.com/signup/ for the signup page.

And, after the signup completes the wp-login.php should be redirecting user to another page. Hack that address to use an absolute address rather than relative like: - if it is redirecting to index.php, change it to http://en.wordpress.com/wp-login.php so the user will only be using SSL while signing up.

0

精彩评论

暂无评论...
验证码 换一张
取 消