问题
I want to implement:
If users tries to login with invalid username & password for more than 3 times. I would like to forward them to my "reset password page".
What is the logic behind this. I'm unable to catch the exact logic for this problem. Please help.
What I thought to apply:
passing default value from my form textfield as Login_attempt=1 from my form ,
//geter & setter of loginAttempt
if(loginAttempt>3)
{
return resetPassword;//forwarding to resetPassword.jsp from my struts.xml
}
else
{
//perform other tasks
}
But from my above logic I have doubt : How can I increment the loginAttempt value on each time of the form submits. so that my above code will work for me.
If you have any other logic to implement. Please share with me.
回答1:
Doing that as you want would become a security hole, as the number of attempts would be part of the html, so anyone could change it (you don't need special tools, you can do that with chrome dev tools for example). So with this in mind some malicious user could make a program to have infinite attempts to try a brute force attack.
To avoid this security gap you may use one of the following approaches:
Store the number of attempts in the session. In my opinion this is the easiest way given that you're using Struts2 as your framework. To get the session in your Struts2 Action you should implement the SessionAware interface. Also, don't forget to reset the value of the attempts once the user has logged in successfuly.
Some developers don't like using the session so they use a database. This is a better approach than the session in terms of performance, specially if your website has a high number of users.
Another option would be using the cookies or even a hidden parameter in a form but encrypting it's information (the first one is the aproach of the Ruby on Rails framework for example).
The best choice depends on your project's requirements. In my own opinion you shouldn't use the last option unless you are using some framework or tool that gives support for it.
To chose between the other two options a good indicator would be the amount of users you expect your website will have (if you have few or you're doing a private website the session may be a better aproach. The database is always fine but the development time needed is usually higher and it might be a little more harmful for maintainability).
Of course there are many more solutions for this but I think I have covered the most common.
回答2:
To roughly answer your new question, completely untested:
public class LoginAction {
// Getters, setters, password checking, utils, etc. elided.
public String execute() {
return tooManyAttempts(password) ? RESET_PASSWORD : SUCCESS;
}
public boolean tooManyAttempts(String password) {
Integer attempts = default(session.get(LOGIN_ATTEMPTS), 0);
attempts = passwordCorrect() ? 0 : attempts + 1;
session.put(LOGIN_ATTEMPTS, attempts);
return attempts > 3;
}
}
Your code is a little difficult to read.
来源:https://stackoverflow.com/questions/14042488/how-to-forward-users-to-resetpassword-page-if-users-attempt-to-login-more-then