Atitit 修改密码的功能流程设计 attilax总结
1.1. 注意点
Req参数需要根据数据库转义,防止sql注入
要输入原密码验证,防止CSRF注入
会话管理防止uid篡改。。建议uid存放在cookie并且aes加密
后台获取uid cookie使用tokenService方式注入。可以灵活支持session,cookie等模式。
在修改密码的过程中,毫不夸张地说,有超过1成的产品找回密码流程存在「越权修改密码」的逻辑漏洞。
1.2. 设计修改用户密码功能时把用户ID保存在哪里?
建议uid存放在cookie并且aes加密
1.3. Ui设计
file:///C:/BaiduYunDownload/atiPlatf_cms_com_2016-11-02%20周三%2023-49-21.66/WebRoot/chgPwd/chgpwd.htm
大概三个box,一个原来密码,俩个新密码。。
1.4. 功能设计源码
function clickx()
{
try{
var jsbrj=newAtiJsBridge();
var dsl="com.attilax.ioc.Ioc4agent.getBean(com.attilax.agent.AgtSrv.class).resetPwd('@old@','@new@')";
dsl=dsl.replace("@old@",$("#old_password").val());
dsl=dsl.replace("@new@",$("#password").val());
//jsbrj.method="post";
var para={};
para.dsl=dsl;
para.$uid_cukname="null_uid_agentUtype";
jsbrj.exe(para,function(data){
console.log(data);
if(data==1)
alert("修改成功")
if(data==0)
alert("修改失败");
//$("#content").val(data);
});
//mycallJava("submitx",$("#title").val(),$("#content").val(),dropIds);
}catch(e)
{
alert(e);
}
}
1.5. AgtSrv .java
/**
*
*/
package com.attilax.agent;
import java.util.List;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import com.attilax.collection.list;
import com.attilax.ioc.Ioc4agent;
import com.attilax.ioc.IocFacV3_iocx_iocutil;
import com.attilax.lang.Global;
import com.attilax.net.cookieUtil;
import com.attilax.net.requestImp;
import com.attilax.sql.SqlService;
import com.attilax.token.TokenServiceV2;
import com.attilax.token.TokenServiceV3;
import com.attilax.user.UserService;
import com.csmy.my.center.util.CTUtils;
import com.google.common.collect.Lists;
import com.google.inject.Inject;
/**
* @author attilax 2016年11月2日 下午4:58:08
*/
public class AgtSrv extends UserService {
public static void main(String[] args) {
System.setProperty( "agent_cfgfile","cfg_game.properties" );
AgtSrv srv=com.attilax.ioc.IocFacV3_iocx_iocutil.getBean("com.attilax.ioc.Ioc4agent",AgtSrv.class);
srv=com.attilax.ioc.Ioc4agent.getBean(com.attilax.agent.AgtSrv.class);
// null_uid_agentUtype
requestImp ri=new requestImp();
ri.setParam("$utype", "agent");
Global.req.set(ri);
Cookie ck=new Cookie("null_uid_agentUtyp", "200006");
List li= Lists.newArrayList ();
li.add(ck);
ri.setcookies(li);
try {
System.out.println(srv.resetPwd("1111", "222222"));
} catch (CantFindUserInTokenSrv e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("--f");
}
@Inject
SqlService sqlSrv;
@Inject
TokenServiceV3 tkSrv;
public Object resetPwd(String oldPwd, String newPwd) throws CantFindUserInTokenSrv {
HttpServletRequest req = Global.req.get();
//HttpSession sess = req.getSession();
String uid = tkSrv.getuid();
if(uid.equals(""))
throw new CantFindUserInTokenSrv("uid:"+uid);
// Set<String> capts = (Set<String>) sess.getAttribute("captSet");
// if (capts == null)
// throw new RuntimeException("chkex,capt_null,验证码错误capt_null");
// if (!capts.contains(req.getParameter("captcha")))
// throw new RuntimeException("chkex,capt_err,验证码错误");
String sql = "update agent set pwd='$pwd$' where uid='$acc$' and pwd='$old$'";
// String pwd = req.getParameter("password");
sql = sql.replace("$old$", oldPwd);
sql = sql.replace("$pwd$", newPwd);
sql = sql.replace("$acc$", uid);
System.out.println("--resetPwd:" + sql);
return sqlSrv.executeUpdate(sql);
// StringUtil.getAttrFromPro("ct_user_password", null)));
}
}
参考资料
修改密码的表单设计及整体体验 - 站长之家.html
作者:: 绰号:老哇的爪子 ( 全名::Attilax Akbar Al Rapanui 阿提拉克斯 阿克巴 阿尔 拉帕努伊 )
汉字名:艾提拉(艾龙), EMAIL:1466519819@qq.com
转载请注明来源: http://blog.csdn.net/attilax
Atiend