1. Classification of login types:
1. Ordinary login
2. Login using a separate system
3. Single sign-on
4. Oauth2.0 login
The details are as follows:
1. Ordinary login:
For ordinary login requirements, all you need is a login page, enter the account password, submit the Form form, and query the back-end database for the hash password of the corresponding username.
Password hash: The password stored in the database is a string of ciphertext, and the ciphertext is a plaintext password obtained by an irreversible algorithm.
The principle of Session: In fact, it relies on cookies to record user credentials through cookies.
2. Login using an independent system :
In order to avoid the token being stolen, it is infinitely logged into the website system. After the user enters the account and password to log in successfully, the passport will redirect to the callback processing address provided by www.xxx.com with a reversibly encrypted token containing the user information , and then decrypt it. If the match is correct, the user will be logged in. It should be noted that the encrypted information here needs to contain a timestamp, and the receiver needs to authenticate this timestamp, and the expired login fails.
3. Single sign-on:
Single sign- on SSO (Single Sign On) , the requirement that needs to be realized is actually the login at site A, then the user can automatically log in at site B, site C, site E, F, and G.
The three implementations are as follows:
<1> Ways to use cookies as a credential medium
It is to use cookies as a medium to store user credentials. After the user logs in to the parent application, the application returns an encrypted cookie. When the user accesses the sub-application, the application will carry the cookie and authorize the application to decrypt the cookie and verify it. If the verification is passed, the current user is logged in.
<2> By way of JSONP
After the user logs in in the parent application, the cookie matching the session will be stored in the client. When the user needs to log in to the child application, the application is authorized to access the JSONP interface provided by the parent application, and the request under the parent application domain name is included in the request. Cookie, the parent application receives the request, verifies the user's login status, and returns encrypted information. The child application verifies the user by parsing the returned encrypted information, and logs in the user if the verification is passed.
<3> By means of page redirection
It is to communicate through the back and forth redirection between the parent application and the child application to realize the safe transmission of information. The parent application provides a GET login interface, and the user accesses this interface through the sub-application redirection connection. If the user has not logged in, a login page is returned, and the user enters the account password to log in. If the user is already logged in, an encrypted token is generated and redirected to the token verification interface provided by the sub-application. After decryption and verification, the sub-application logs in the current user.
4. OAuth2.0 login :
Many apps now use third-party logins, such as: "WeChat login", "Weibo login", "QQ login", in fact, third-party logins all implement the OAuth2.0 protocol, and the third party provides a login entry, which is the first The login page under the third-party domain name. When the main site needs to log in, it guides the user to redirect to the third-party login page. After the user enters the account password, he logs in to the third-party system. After the third-party system matches the account successfully, it will bring a code to the callback address of the main site. After receiving the code, hold the code in a short time and request the third party to provide an interface for obtaining long-term credentials (because the code has a relatively short expiration time). This long-term credential is called access_token . The API provided by the third party needs to use this access_token , because this token is an identity credential that records the user in the third-party system. Some systems will return a secondary parameter refresh_token when obtaining access_token , because access_token has an expiration time. Once it expires, the master station can use refresh_token to request the interface provided by a third party to obtain new access_token and new refresh_token .
Two, several ways to log in:
1. Account (mobile phone number/email/username) + password to log in
2. Mobile phone number + verification code login
3. Third-party login
3. Types of login process:
1、 需要登录后才能继续使用产品功能服务
2、不需要首先登录可以使用产品或者产品的部分功能
四、注册的几种方式:
1、 邮箱注册
2、手机号注册
3、用户名注册
4、第三方注册
五、注册流程的种类:
1、同一页面中完成注册
2、按步骤分页面完成注册
六、登录、注册的注意事项:
1、 邮箱/手机号的占用判断
2、 邮箱/手机号的合法性判断
3、 登录密码的机制
4、 是否需要要确认密码
5、 是否需要验证码
6、 验证码的重发机制
7、 登录注册过程中的异常状态
8、 注册完/登录完一定要直接切回需要登录的流程节点
七、登录、注册的层级划分:
1、 用户层面,面对的目标用户群不同,对应的登录注册的方式也不同。
2、功能层面,就是确保整个登录注册模块逻辑的合理性以及流程的通畅性。
3、 业务层面,不同的业务逻辑,需要的登录注册的方式、流程也不同;不同的功能模块,对登录节点的需求也不同。
4、产品层面,不同的产品类型,对登录注册模块的需求不同。