edge cases for a user system_问答_开发者_运维开发者技术经验分享

So, I'm writing a user/authentication system for my node.js web framework.

What edge cases sh开发者_StackOverflow中文版ould I be concerned about from either a usability or security perspective?

Passwords must be hashed in the database using a one way hash algorithm. This keeps you from having to know their password. Selecting the right algorithm is important. MD5 is considered insecure due to multiple vulnerabilities. SHA1 hasn't been proven to insecure as MD5 has, but it's considered theoretically weak. It's better to transition to SHA2 or SHA256. SHA2 is required by the government by end of 2010.

http://en.wikipedia.org/wiki/MD5

Passwords should be salted. This prevents dictionary attacks on your password. By combining a random piece of information means an attacker can't take a bunch of words and try them one by one to see what hashes match up in your system.

http://en.wikipedia.org/wiki/Salt_(cryptography)

Key strengthening helps combat weak passwords because weak passwords hurt your system's security. You can iterate several 1000 times using the hash algorithm to raise the complexity of brute forcing passwords.

http://en.wikipedia.org/wiki/Key_strengthening

Make sure your users submit their logins over https for web applications. Otherwise they are submitting their passwords in the clear. Do not try and get clever with Javascript. Just use https and be done with it.

You have to weigh usability with privacy. Using email address instead of user name is really nice because it's easy to remember, but if you have a social site people aren't going to like you publishing their email address. Sometimes it's nice to accept username or email addresses.

Another thing you need to consider is how your users will stay logged into your system. Sessions, cookies, etc. Sessions are easy, but they can get expensive if your site has millions of users. You can use memcache or one of the plethora of distributed caches in Java to store them. However, other alternatives are using HMACs. Remember unlike one-way hashes HMAC has a private key that must be protected on your servers. Take steps to secure the private key with some form of symmetric encryption if you choose to use HMAC+cookies to identify users. Also have a drop dead date where the HMAC can't be used past. HMACs should only be good for a fixed length of time. Your software must enforce that. Do not rely on cookie timeouts to do this for you.

Other things to consider are using OpenID because it really helps your users access your site without having to go through a sign up process. I have an android application that I don't ask for an account upfront, but if they choose to use certain features I ask them to sign up. And, the retention of users is much higher by not forcing them to log in. People drop during a sign up process.

Make sure your methods in your application force someone to be authenticated before they will execute. You'll need to have a way to force all method calls through a portion of your application before the method gets called, and if they aren't authenticated redirect them to login. Try and remember the page they were going too.

There are others, but I'm not entirely sure this is what you're looking for. Good luck, and it pays to do a little research with google on security.

Common edge cases:

People forget passwords.
People turn off Javascript, Flash, cookies... any technology you could think of to rely on.
Security is hard, and all you have to do is mess up once to ruin your month. My recommendation: Let someone else do it. If you can avoid reinventing that wheel, do so.