WO2015062441A1 - Cgi web interface multi-session verification code generation and verification method - Google Patents

Cgi web interface multi-session verification code generation and verification method Download PDF

Info

Publication number
WO2015062441A1
WO2015062441A1 PCT/CN2014/089249 CN2014089249W WO2015062441A1 WO 2015062441 A1 WO2015062441 A1 WO 2015062441A1 CN 2014089249 W CN2014089249 W CN 2014089249W WO 2015062441 A1 WO2015062441 A1 WO 2015062441A1
Authority
WO
WIPO (PCT)
Prior art keywords
verification code
verification
page
code
group
Prior art date
Application number
PCT/CN2014/089249
Other languages
French (fr)
Chinese (zh)
Inventor
杨育斌
柯宗贵
Original Assignee
蓝盾信息安全技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 蓝盾信息安全技术有限公司 filed Critical 蓝盾信息安全技术有限公司
Publication of WO2015062441A1 publication Critical patent/WO2015062441A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the invention relates to the field of network applications, in particular to a method for generating and verifying a multi-session verification code under a CGI web interface.
  • the verification code is a verification technology located before and after the user logs in.
  • the function is to prevent malicious cracking of passwords, brushing tickets, forum watering, and page scanning, effectively preventing a hacker from continuously using a specific program for a specific registered user.
  • Login attempts, actually using a verification code is the way many websites are now available. Although the login is a bit more troublesome, this feature is still necessary and important for the user's password security. But still remind everyone to protect their passwords, try to use more than 6 passwords mixed with numbers, letters, symbols, do not use simple passwords such as 1234 or the same password, similar password, so that you are not The account is stolen and used to bring unnecessary trouble to yourself.
  • the verification code usually consists of some lines and some irregular characters. The main purpose is to prevent some hackers from digitizing the password and attempting to steal the password.
  • the invention patent CN200810105458.8 provides an apparatus and method for web page form data verification.
  • the device includes: a verifier management module, configured to manage at least one verifier, and maintain correspondence information between the identifier of the verifier and the verifier; and a script module, configured to receive a call request for generating the script code, where the call request is Forming the form field information of the webpage form, and obtaining the validator associated with the form field in the webpage form in the validator managed by the validator management module according to the form field information included in the call request, by calling the The verifier obtains script code for client data validation, and outputs the script code for the client to verify data in the form field.
  • the inconsistency between the verification logic of the client and the server is reduced, thereby reducing the probability of system errors.
  • the invention technology indicates that the verification is performed on the client side, and there is no indication that the authentication is to be performed in the background of the server, so that the security protection for the user is weak.
  • the invention patent CN200810173544.2 provides a system for webpage verification, comprising: an authentication module, whether the authentication user identifier is unique in the system, and the user identifier is related to the user identity; data hiding Module, based on the data hiding algorithm, based on the user identification code, to The webpage identification code and the basic object generate the first data hiding object, and each webpage identification code is associated with the identification of a webpage; the memory module stores the user identifier, the webpage identification code, the basic object, and the parameters required by the data hiding algorithm.
  • a verification module based on a webpage identification code, obtaining a first data hiding object from a webpage; obtaining a user identifier and all webpage identification codes from the memory module based on the webpage identification code; and identifying the webpage based on the obtained webpage
  • the code, the obtained user identifier, and the basic object generate a second data hidden object, and compare the first data hidden object with the second data hidden object.
  • the main drawback of the invention is that it does not involve the handling of multiple sessions, as well as the security issues when processing the verification code, so that its performance and security may not be very reliable.
  • some of the existing verification codes still have security and multi-user login problems.
  • the verification code input is not verified in the background, but the simple verification is performed on the page, and there is a security risk; the problem that the verification code is overwritten and the verification code is invalid is not considered when the multi-user operation is considered, the present invention is to solve these solutions. Insufficient to propose.
  • the purpose of the present invention is to overcome the shortcomings of the prior art, and to provide a method for generating and verifying a multi-session verification code under a CGI web interface, which makes the concurrency stronger and the verification function of the verification code is more secure, thereby enhancing the system. safety.
  • the method for generating the verification code in the present invention is:
  • the page is generated by the PERL-encoded CGI interface. Opening the page will generate 2 4-bit random numbers and current time. These three items are saved as a set of verification code groups in the configuration file. A 4-digit number is used to generate the picture. The digital picture on the verification code, another 4 digits are used to uniquely identify the current page.
  • the verification code group data generated by the page is called and passed to the background save module written by the C++ code.
  • the save module first checks the previous save according to the current time item when the verification code group is saved. Whether the valid time of the verification code group has expired. The default validity time of each verification code is 10 minutes.
  • the data of the verification code group that has timed out is deleted. Then save a set of verification code groups obtained on the page to the configuration file. If the verification code groups in the configuration file do not time out, directly save a set of verification code groups generated by the page. After the verification code group is saved, one of the 4 digits in the verification code group is used as the verification code, and the digital pattern on the picture verification code is displayed on the page, and another 4 digits are saved as the unique identifier of the page. The verification code is generated.
  • the C++ code is written in the background save module, which mainly completes the save process described above, thus realizing the generation and preservation of the verification code.
  • the verification method of the verification code in the invention is:
  • the user inputs the corresponding verification code according to the number of the verification code picture on the displayed page.
  • the user first judges whether the input verification code and the verification code number displayed on the page verification code picture are consistent, and then clicks or submits.
  • the page will pass the four-digit verification code input by the user, the unique identification code of the page, and the verification code group that the user has entered into a background into the background, and the verification process of the verification code begins.
  • the verification process is as follows: After the user verification code group is passed into the background, the verification module first checks whether the verification code has timed out at the current time in the configuration file for saving the verification code, and if it has not expired, it traverses with the verification code in the configuration file.
  • the verification module of the background verification code is implemented by C++, so that the verification code is verified, which makes the verification process more secure.
  • the C++ feature makes the concurrency stronger and realizes the verification function of the multi-session verification code.
  • the method of the invention generates a verification code and a verification code picture by using the CGI WEB encoded by PERL, and uses C++ to support the verification and verification function of the verification code of the multi-session, so that multiple users can perform simultaneous operations and solve the simultaneous login of multiple users.
  • the verification code is overwritten or invalid, and C++ is used to implement multi-session verification code support, which makes the concurrency stronger and the verification function of the verification code is more secure, thus enhancing the security of the system and preventing illegal users from bypassing the verification code.
  • the verification of the login attempt or attack, the security has been greatly improved.
  • 1 is a flow chart showing the generation of a verification code in the present invention
  • FIG. 2 is a flow chart for verifying a verification code in the present invention.
  • the invention provides a method for generating and verifying a multi-session verification code under a CGI web interface, which is a method for generating a verification code different from other systems.
  • the verification code of the present invention is generated on a CGI page in C++.
  • the module is verified in the background, so the security performance is good and the concurrent processing capability is strong.
  • the present invention is a verification method different from the verification codes of other systems. Other systems can only verify a set of verification codes, and then there will be multiple user requests at the same time, which will cause the verification code to be overwritten, resulting in The verification code of one or more of the users is incorrectly verified, and the present invention solves this problem well. Different users request different verification codes, and they are not interdependent.
  • the generation of the verification code in the present invention is as shown in FIG. 1:
  • opening the web page will generate 2 4-bit random numbers, such as: a79h and u3w8, one of which is used as the key, such as a79h, and the other as the value, such as u3w8, and then gets a current time, such as 20131022105136, and then gets a current time, such as 20131022105136, and then The three data keys: a79h, value: u3w8, time: 20131022105136 are saved as a set of verification code groups to the configuration file. In the process of saving, each previously verified group of verifications is checked according to the current time item saved by each group of verification codes. The code's dwell time, that is, whether it has timed out compared with the current current time. The default is 10 minutes.
  • the previously saved verification code group of the timeout is saved together in the configuration file. If the verification code group originally saved to the configuration file does not time out, the verification code group obtained by the page is saved together with the original saved verification code group into the configuration file. .
  • the page will generate a verification code image according to the value of the value u3w8, which is displayed on the interface. This u3w8 is the pattern that the user sees on the verification code displayed on the page, and provides a verification code input box to the user. Verify the input verification code, and key:a79h is hidden in the interface.
  • Each page generates its own verification code group at the time of presentation, and displays the verification code picture of the respective verification code.
  • the background C++ save module uniformly saves the verification code group of the multi-session, thereby realizing the multi-session verification code function.
  • the verification of the verification code in the present invention is as shown in FIG. 2:
  • the user inputs the verification code into the verification code input box according to the pattern of the verification code picture.
  • the verification code pattern displays u3w8.
  • the user Before submitting the verification code, the user first determines whether the input verification code matches the pattern of the verification code picture of the page, and after submitting the point
  • the page passes the verification code value: u3w8 input by the user, and the page identification key: a79h is passed as a group of user input verification code groups to the background verification module for verification.
  • the verification module compares the current time item saved by each group of verification code groups with the current current time, and checks and saves. Whether each group of verification code groups in the configuration file has expired expired.
  • the C++ structure of verification code generation and verification in the present invention is as follows:
  • the method of the invention realizes the function of the multi-session verification code by using C++, enables multiple users to perform simultaneous operations, and uses C++ to implement multi-session, which makes the concurrency stronger, and the verification function of the verification code is more secure, thereby enhancing The security of the system to avoid being attacked.
  • the invention can also directly perform verification code generation and verification code verification without verifying the validity of the verification code, that is, whether the verification code has expired, but this causes the verification code to accumulate in a large amount and occupy the memory.
  • the invention can also use C++ to generate verification code directly on the page to verify on the page, but this may make the system insecure, because some malicious users will bypass the verification of the page and directly communicate with the server, so it must be on the server side. Check to prevent malicious attacks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention discloses a CGI web interface multi-session verification code generation and verification method. Said method is different to the methods of verification code generation in other systems, as the verification code generation of the present invention occurs on a CGI page, and verification is carried out on a C++ background module; security performance is therefore high and concurrent processing capability is strong. Furthermore, the present invention is different to the methods of verification of verification codes in other systems; other systems can only verify one group of verification codes, and so, in the case of a plurality of simultaneous user device requests, verification codes are overlaid, causing errors in the code verification of one or a plurality of users. The present invention solves this problem, as different users request different verification codes which are not mutually interdependent.

Description

CGI web界面下的多会话验证码的产生及验证方法Multi-session verification code generation and verification method under CGI web interface 技术领域Technical field
本发明涉及网络应用领域,尤其涉及CGI web界面下的多会话验证码的产生及验证方法。The invention relates to the field of network applications, in particular to a method for generating and verifying a multi-session verification code under a CGI web interface.
背景技术Background technique
验证码是位于用户登录的前后的一道验证技术,其作用是为了防止恶意破解密码、刷票、论坛灌水、刷页,有效防止某个黑客对某一个特定注册用户用特定程序暴力破解方式进行不断的登录尝试,实际上使用验证码是现在很多网站通行的方式。虽然登录麻烦一点,但是对用户的密码安全来说这个功能还是很有必要,也很重要。但还是提醒大家要保护好自己的密码,尽量使用混杂了数字、字母、符号在内的6位以上密码,不要使用诸如1234之类的简单密码或者与用户名相同、类似的密码,免得你的账号被人盗用给自己带来不必要的麻烦。验证码通常使用一些线条和一些不规则的字符组成,主要作用是为了防止一些黑客把密码数据化登陆尝试从而让密码被盗取。The verification code is a verification technology located before and after the user logs in. The function is to prevent malicious cracking of passwords, brushing tickets, forum watering, and page scanning, effectively preventing a hacker from continuously using a specific program for a specific registered user. Login attempts, actually using a verification code is the way many websites are now available. Although the login is a bit more troublesome, this feature is still necessary and important for the user's password security. But still remind everyone to protect their passwords, try to use more than 6 passwords mixed with numbers, letters, symbols, do not use simple passwords such as 1234 or the same password, similar password, so that you are not The account is stolen and used to bring unnecessary trouble to yourself. The verification code usually consists of some lines and some irregular characters. The main purpose is to prevent some hackers from digitizing the password and attempting to steal the password.
发明专利CN200810105458.8提供了一种网页表单数据验证的装置和方法。该装置包括:验证器管理模块,用于管理至少一个验证器,并维护验证器的标识和验证器之间的对应关系信息;脚本模块,用于接收生成脚本代码的调用请求,该调用请求中包含有网页表单的表单域信息,并根据该调用请求中包含的表单域信息,获取所述验证器管理模块所管理的验证器中与该网页表单中的表单域关联的验证器,通过调用该验证器获得用于客户端数据验证的脚本代码,将所述脚本代码输出,所述脚本代码用于客户端对所述表单域中的数据进行验证。利用本发明,减小客户端与服务器端的验证逻辑之间的不一致,从而减少***出错的几率。该发明技术指出了在客户端进行验证,没有指明要在服务端后台进行验证,这样对于用户的安全的保护比较薄弱。The invention patent CN200810105458.8 provides an apparatus and method for web page form data verification. The device includes: a verifier management module, configured to manage at least one verifier, and maintain correspondence information between the identifier of the verifier and the verifier; and a script module, configured to receive a call request for generating the script code, where the call request is Forming the form field information of the webpage form, and obtaining the validator associated with the form field in the webpage form in the validator managed by the validator management module according to the form field information included in the call request, by calling the The verifier obtains script code for client data validation, and outputs the script code for the client to verify data in the form field. By using the invention, the inconsistency between the verification logic of the client and the server is reduced, thereby reducing the probability of system errors. The invention technology indicates that the verification is performed on the client side, and there is no indication that the authentication is to be performed in the background of the server, so that the security protection for the user is weak.
此外,发明专利CN200810173544.2提供了一种用于网页验证的***,包含:认证模块,认证使用者识别码在***中是否具独特性,且该使用者识别码与使用者身份相关;数据隐藏模块,根据数据隐藏算法,基于该使用者识别码、至 少网页识别码与基本对象产生第一数据隐藏对象,每一个网页识别码与一个网页的识别相关连;内存模块,存储使用者识别码、网页识别码、基本对象、与数据隐藏算法所需参数的至少一个;及验证模块,基于一个网页识别码,从一个网页获取第一数据隐藏对象;基于该网页识别码,从内存模块获取使用者识别码与所有网页识别码;基于已获取的网页识别码、已获取的使用者识别码、基本对象,产生第二数据隐藏对象,比较该第一数据隐藏对象与第二数据隐藏对象。该发明的主要缺点是没有涉及到多会话的处理,以及处理验证码的时候的安全问题,这样它的性能和安全性可能不是很可靠。In addition, the invention patent CN200810173544.2 provides a system for webpage verification, comprising: an authentication module, whether the authentication user identifier is unique in the system, and the user identifier is related to the user identity; data hiding Module, based on the data hiding algorithm, based on the user identification code, to The webpage identification code and the basic object generate the first data hiding object, and each webpage identification code is associated with the identification of a webpage; the memory module stores the user identifier, the webpage identification code, the basic object, and the parameters required by the data hiding algorithm. And at least one; and a verification module, based on a webpage identification code, obtaining a first data hiding object from a webpage; obtaining a user identifier and all webpage identification codes from the memory module based on the webpage identification code; and identifying the webpage based on the obtained webpage The code, the obtained user identifier, and the basic object generate a second data hidden object, and compare the first data hidden object with the second data hidden object. The main drawback of the invention is that it does not involve the handling of multiple sessions, as well as the security issues when processing the verification code, so that its performance and security may not be very reliable.
综上可知现有的验证码中有一些还是存在安全性和多用户登陆时的问题。没有在后台验证输入的验证码,只是在页面进行简单的校验,存在了安全隐患;没有考虑多用户操作时验证码会被覆盖而导致验证码失效的问题,本发明就是为了解决这些方案的不足而提出的。In summary, some of the existing verification codes still have security and multi-user login problems. The verification code input is not verified in the background, but the simple verification is performed on the page, and there is a security risk; the problem that the verification code is overwritten and the verification code is invalid is not considered when the multi-user operation is considered, the present invention is to solve these solutions. Insufficient to propose.
发明内容Summary of the invention
本发明的目的是为了克服现有技术的缺陷,提供一种CGI web界面下的多会话验证码的产生及验证方法,使得并发性更强,验证码的验证功能更加安全,从而增强了***的安全性。The purpose of the present invention is to overcome the shortcomings of the prior art, and to provide a method for generating and verifying a multi-session verification code under a CGI web interface, which makes the concurrency stronger and the verification function of the verification code is more secure, thereby enhancing the system. safety.
本发明中验证码的产生方法为:The method for generating the verification code in the present invention is:
首先,页面由PERL编码的CGI界面展现生成,打开页面将会产生2项4位随机数和当前时间这三项作为一组验证码组保存到配置文件中,一项4位数用于生成图片验证码上的数字图片,另一项4位数用于唯一标识当前的页面。在这组验证码组保存过程中,会调用并传递页面生成的验证码组数据到由C++代码编写的后台保存模块,保存模块先根据验证码组保存时的当前时间项逐组检查以前的保存的验证码组的有效时间是否已经超时,默认每组验证码的有效时间是10分钟,如果某组验证码组的当前时间项已经超时则将已经超时的这一组验证码组的数据删除,然后再保存在页面获取到的一组验证码组到配置文件中,如果配置文件中的验证码组都没有超时,则直接保存页面生成的一组验证码组。验证码组保存完成后,将验证码组中的其中一项4位数作为验证码,生成图片验证码上的数字图案展现在页面,保存另一个4位数作为本页面的唯一标识隐藏,则验证码的产生完成。C++代码编写后台保存模块,主要是完成上述描述的保存过程,这样就实现了验证码的产生与保存。 First, the page is generated by the PERL-encoded CGI interface. Opening the page will generate 2 4-bit random numbers and current time. These three items are saved as a set of verification code groups in the configuration file. A 4-digit number is used to generate the picture. The digital picture on the verification code, another 4 digits are used to uniquely identify the current page. During the verification of the verification code group, the verification code group data generated by the page is called and passed to the background save module written by the C++ code. The save module first checks the previous save according to the current time item when the verification code group is saved. Whether the valid time of the verification code group has expired. The default validity time of each verification code is 10 minutes. If the current time item of a certain verification code group has timed out, the data of the verification code group that has timed out is deleted. Then save a set of verification code groups obtained on the page to the configuration file. If the verification code groups in the configuration file do not time out, directly save a set of verification code groups generated by the page. After the verification code group is saved, one of the 4 digits in the verification code group is used as the verification code, and the digital pattern on the picture verification code is displayed on the page, and another 4 digits are saved as the unique identifier of the page. The verification code is generated. The C++ code is written in the background save module, which mainly completes the save process described above, thus realizing the generation and preservation of the verification code.
本发明中验证码的验证方法为:The verification method of the verification code in the invention is:
用户依据展现的页面上的验证码图片的数字输入相应的验证码,提交验证码的时候,用户首先判断输入的验证码与页面验证码图片显示的验证码数字是否一致,然后点登陆或者提交,页面就会把这个用户输入的四位验证码、此页面的唯一标识码及当前时间组成一个用户输入的验证码组传入后台,验证码的验证过程开始。验证过程如下:用户验证码组传入后台后,验证模块会首先检查保存验证码的配置文件中在当前时间是否有验证码已经超时过期,如果没过期,则与配置文件中的验证码进行遍历比对是否有与此传入的用户验证码组匹配的组,若匹配就验证成功,否则失败;如果有验证码过期,则删除掉过期的验证码,然后与配置文件中的验证码进行遍历比对是否有与此传入的验证码组匹配的组,若匹配就验证成功,否则失败。后台验证码的验证模块由C++实现,这样进行验证码的验证,使得验证过程更加安全,利用C++的特性,使得并发性更强,实现了多会话验证码的验证功能。The user inputs the corresponding verification code according to the number of the verification code picture on the displayed page. When submitting the verification code, the user first judges whether the input verification code and the verification code number displayed on the page verification code picture are consistent, and then clicks or submits. The page will pass the four-digit verification code input by the user, the unique identification code of the page, and the verification code group that the user has entered into a background into the background, and the verification process of the verification code begins. The verification process is as follows: After the user verification code group is passed into the background, the verification module first checks whether the verification code has timed out at the current time in the configuration file for saving the verification code, and if it has not expired, it traverses with the verification code in the configuration file. If there is a matching group with this incoming user verification code group, if the match is successful, the verification will succeed; otherwise, if the verification code expires, the expired verification code will be deleted, and then traversed with the verification code in the configuration file. If there is a matching group with this incoming verification code group, if it matches, the verification is successful, otherwise it fails. The verification module of the background verification code is implemented by C++, so that the verification code is verified, which makes the verification process more secure. The C++ feature makes the concurrency stronger and realizes the verification function of the multi-session verification code.
本发明方法带来的有益效果:The beneficial effects brought by the method of the invention:
本发明方法通过PERL编码的CGI WEB生成验证码及验证码图片,使用C++来支持多会话的验证码保存与验证功能,使得多个用户能够进行同时操作,解决了多个用户的同时登陆而导致的验证码覆盖或失效的问题,而且使用C++来实现多会话验证码支持,使得并发性更强,验证码的校验功能更加安全,从而增强了***的安全性,防止非法用户绕过验证码的验证而实现登陆尝试或者攻击,其安全性有了大大的提高。The method of the invention generates a verification code and a verification code picture by using the CGI WEB encoded by PERL, and uses C++ to support the verification and verification function of the verification code of the multi-session, so that multiple users can perform simultaneous operations and solve the simultaneous login of multiple users. The verification code is overwritten or invalid, and C++ is used to implement multi-session verification code support, which makes the concurrency stronger and the verification function of the verification code is more secure, thus enhancing the security of the system and preventing illegal users from bypassing the verification code. The verification of the login attempt or attack, the security has been greatly improved.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图1是本发明中验证码的产生流程图;1 is a flow chart showing the generation of a verification code in the present invention;
图2是本发明中验证码的验证流程图。2 is a flow chart for verifying a verification code in the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是 全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, instead of All embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明提供了一种CGI web界面下的多会话验证码的产生及验证方法,该方法是不同于其他***的验证码的产生方式,本发明的验证码的产生是在CGI页面产生,在C++模块后台进行验证,所以安全性能好,并发处理能力强。此外,本发明是不同于其他***的验证码的校验方式,其他***只能去校验一组验证码,那么就会出现同时有多个用户请求的情况下会使验证码被覆盖,导致其中的一个或者多个用户的验证码校验错误,而本发明很好的解决了这个问题,不同的用户请求不同的验证码,他们是不相互依赖的。The invention provides a method for generating and verifying a multi-session verification code under a CGI web interface, which is a method for generating a verification code different from other systems. The verification code of the present invention is generated on a CGI page in C++. The module is verified in the background, so the security performance is good and the concurrent processing capability is strong. In addition, the present invention is a verification method different from the verification codes of other systems. Other systems can only verify a set of verification codes, and then there will be multiple user requests at the same time, which will cause the verification code to be overwritten, resulting in The verification code of one or more of the users is incorrectly verified, and the present invention solves this problem well. Different users request different verification codes, and they are not interdependent.
本发明中验证码的产生如图1所示:The generation of the verification code in the present invention is as shown in FIG. 1:
首先,打开web页面将会产生2项4位随机数,比如:a79h和u3w8,其中一项作为key,如a79h,另一项作为value,如u3w8,再获取一个当前时间,如20131022105136,然后把这三项数据key:a79h,value:u3w8,time:20131022105136作为一组验证码组保存到配置文件中,在保存过程中,先依据每组验证码保存的当前时间项检查以前保存的每组验证码的停留时间,即与现在的当前时间比较是否已经超时,默认是10分钟,如果已经超时则将已经超时的一组验证码组的数据删除,然后再将页面获取到的验证码组与未超时的原保存的验证码组一起保存到配置文件中,如果原来保存到配置文件的验证码组没有超时,则将页面获取到的验证码组与原保存的验证码组一起保存到配置文件中。验证码组保存完成后,页面将依据value的值u3w8生成一个验证码图片,展现在界面,此u3w8即是用户在页面展现的验证码上看到的图案,同时提供一个验证码输入框给用户验证输入验证码,而key:a79h则隐藏保存在界面。每个页面都在展现时生成各自的验证码组,展现各自的验证码的验证码图片,后台C++保存模块统一保存多会话的验证码组,从而实现了多会话的验证码功能。First, opening the web page will generate 2 4-bit random numbers, such as: a79h and u3w8, one of which is used as the key, such as a79h, and the other as the value, such as u3w8, and then gets a current time, such as 20131022105136, and then The three data keys: a79h, value: u3w8, time: 20131022105136 are saved as a set of verification code groups to the configuration file. In the process of saving, each previously verified group of verifications is checked according to the current time item saved by each group of verification codes. The code's dwell time, that is, whether it has timed out compared with the current current time. The default is 10 minutes. If it has timed out, delete the data of a group of verification code groups that have timed out, and then the verification code group obtained by the page is not The previously saved verification code group of the timeout is saved together in the configuration file. If the verification code group originally saved to the configuration file does not time out, the verification code group obtained by the page is saved together with the original saved verification code group into the configuration file. . After the verification code group is saved, the page will generate a verification code image according to the value of the value u3w8, which is displayed on the interface. This u3w8 is the pattern that the user sees on the verification code displayed on the page, and provides a verification code input box to the user. Verify the input verification code, and key:a79h is hidden in the interface. Each page generates its own verification code group at the time of presentation, and displays the verification code picture of the respective verification code. The background C++ save module uniformly saves the verification code group of the multi-session, thereby realizing the multi-session verification code function.
本发明中验证码的验证如图2所示:The verification of the verification code in the present invention is as shown in FIG. 2:
用户依据验证码图片的图案将验证码输入到验证码输入框,如验证码图案显示u3w8,提交验证码之前,用户首先判断输入的验证码与页面的验证码图片的图案是否匹配,点提交后页面把用户输入的验证码value:u3w8,页面标识key:a79h作为一组用户输入验证码组传进后台验证模块验证。在验证过程中,验证模块会依据每组验证码组保存的当前时间项与现在的当前时间比较,检查保存 在配置文件中的每组验证码组是否有已经超时过期,如果没过期,则与配置文件中的验证码进行遍历比对是否匹配,查找key为a79h,value为u3w8的验证码组,若匹配就是验证码验证成功,否则失败;如果有验证码过期,则删除掉过期的验证码组,然后再进行遍历比对,比对成功则验证码验证成功,否则失败,返回验证结果给页面。每一个页面都独立执行上面的过程,这样进行验证码的验证,使得验证过程更加安全,利用C++的特性,使得并发性更强,实现了多会话验证码的验证功能。The user inputs the verification code into the verification code input box according to the pattern of the verification code picture. For example, the verification code pattern displays u3w8. Before submitting the verification code, the user first determines whether the input verification code matches the pattern of the verification code picture of the page, and after submitting the point The page passes the verification code value: u3w8 input by the user, and the page identification key: a79h is passed as a group of user input verification code groups to the background verification module for verification. During the verification process, the verification module compares the current time item saved by each group of verification code groups with the current current time, and checks and saves. Whether each group of verification code groups in the configuration file has expired expired. If it has not expired, compare the traversal comparison with the verification code in the configuration file to find the verification code group whose key is a79h and value is u3w8. That is, the verification code verification succeeds, otherwise it fails; if the verification code expires, the expired verification code group is deleted, and then the traversal comparison is performed. If the comparison is successful, the verification code verification is successful, otherwise the failure is returned, and the verification result is returned to the page. Each page independently executes the above process, so that the verification code is verified, which makes the verification process more secure. The C++ feature makes the concurrency stronger and realizes the verification function of the multi-session verification code.
本发明中验证码产生及验证的C++结构如下:The C++ structure of verification code generation and verification in the present invention is as follows:
Figure PCTCN2014089249-appb-000001
Figure PCTCN2014089249-appb-000001
Figure PCTCN2014089249-appb-000002
Figure PCTCN2014089249-appb-000002
本发明方法通过使用C++来实现多会话的验证码的功能,使得多个用户能够进行同时操作,而且使用C++来实现多会话,使得并发性更强,验证码的校验功能更加安全,从而增强了***的安全性,以免受到攻击。The method of the invention realizes the function of the multi-session verification code by using C++, enables multiple users to perform simultaneous operations, and uses C++ to implement multi-session, which makes the concurrency stronger, and the verification function of the verification code is more secure, thereby enhancing The security of the system to avoid being attacked.
本发明还能够直接进行验证码的产生和验证码的校验,而不用校验验证码的有效性,即验证码是否已经过期,但这样使得验证码会大量堆积而占用了内存。本发明还可以不用C++,而直接在页面产生验证码在页面就进行验证,但是这样可能使得***不安全,因为一些恶意用户会绕过页面的验证直接与服务端通信,所以必须在服务端也进行校验,防止恶意攻击。The invention can also directly perform verification code generation and verification code verification without verifying the validity of the verification code, that is, whether the verification code has expired, but this causes the verification code to accumulate in a large amount and occupy the memory. The invention can also use C++ to generate verification code directly on the page to verify on the page, but this may make the system insecure, because some malicious users will bypass the verification of the page and directly communicate with the server, so it must be on the server side. Check to prevent malicious attacks.
以上对本发明实施例所提供的CGI web界面下的多会话验证码的产生及验证方法进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应 用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。 The method for generating and verifying the multi-session verification code in the CGI web interface provided by the embodiment of the present invention is described in detail. The principle and the implementation manner of the present invention are described in the following, and the description of the above embodiment is described. It is only used to help understand the method of the present invention and its core idea; at the same time, for the person skilled in the art, according to the idea of the present invention, in the specific embodiment and The scope of the present invention is not limited by the scope of the present invention.

Claims (8)

  1. CGI web界面下的多会话验证码的产生方法,其特征在于,首先,页面由PERL编码的CGI界面展现生成,打开页面将会产生2项4位随机数和当前时间这三项作为一组验证码组保存到配置文件中,一项4位数用于生成图片验证码上的数字图片,另一项4位数用于唯一标识当前的页面;在这组验证码组保存过程中,会调用并传递页面生成的验证码组数据到由C++代码编写的后台保存模块,保存模块先根据验证码组保存时的当前时间项逐组检查以前的保存的验证码组的有效时间是否已经超时,默认每组验证码的有效时间是10分钟,如果某组验证码组的当前时间项已经超时则将已经超时的这一组验证码组的数据删除,然后再保存在页面获取到的一组验证码组到配置文件中,如果配置文件中的验证码组都没有超时,则直接保存页面生成的一组验证码组;验证码组保存完成后,将验证码组中的其中一项4位数作为验证码,生成图片验证码上的数字图案展现在页面,保存另一个4位数作为本页面的唯一标识隐藏,则验证码的产生完成。The method for generating a multi-session verification code under the CGI web interface is characterized in that, first, the page is generated by the CRM interface of the PERL code, and the opening of the page will generate two 4-bit random numbers and the current time as a set of verification. The code group is saved to the configuration file, a 4-digit number is used to generate the digital picture on the picture verification code, and another 4 digits are used to uniquely identify the current page; during the verification of the verification code group, the code is called. And pass the verification code group data generated by the page to the background save module written by the C++ code. The save module first checks whether the valid time of the previously saved verification code group has timed out according to the current time item when the verification code group is saved. The valid time of each group of verification codes is 10 minutes. If the current time item of a group of verification code groups has timed out, the data of the group of verification code groups that have timed out is deleted, and then a set of verification codes acquired on the page is saved. Group to the configuration file, if the verification code group in the configuration file does not time out, directly save a set of verification code groups generated by the page; the verification code group is saved. The verification code group as one of the 4-digit codes, verifies the digital image to generate a code pattern displayed in the page, saving the other four digits uniquely identify Hide this page, the generated code is verified.
  2. 根据权利要求1所述的方法,其特征在于,后台C++保存模块能够统一保存多会话的验证码组,从而实现了多会话的验证码功能。The method according to claim 1, wherein the background C++ save module can uniformly save the verification code group of the multi-session, thereby implementing the verification code function of the multi-session.
  3. 根据权利要求1所述的方法,其特征在于,本发明还能够直接进行验证码的产生,而不用校验验证码的有效性,即验证码是否已经过期,但这样使得验证码会大量堆积而占用了内存。The method according to claim 1, wherein the present invention is also capable of directly generating the verification code without verifying the validity of the verification code, that is, whether the verification code has expired, but the verification code is accumulated in a large amount. Take up memory.
  4. 根据权利要求1所述的方法,其特征在于,本发明还能够不用C++进行后台保存,而直接在页面产生验证码。The method according to claim 1, characterized in that the present invention is also capable of performing background editing without using C++, and generating a verification code directly on the page.
  5. CGI web界面下的多会话验证码的验证方法,其特征在于,用户依据展现的页面上的验证码图片的数字输入相应的验证码,提交验证码的时候,用户首先判断输入的验证码与页面验证码图片显示的验证码数字是否一致,然后点登陆或者提交,页面就会把这个用户输入的四位验证码、此页面的唯一标识码及当前时间组成一个用户输入的验证码组传入后台,验证码的验证过程开始,验证过程如下:用户验证码组传入后台后,验证模块会首先检查保存验证码的配置文件中在当前时间是否有验证码已经超时过期,如果没过期,则与配置文件中的验证码进行遍历比对是否有与此传入的用户验证码组匹配的组,若匹配就验证成功,否则失败;如果有验证码过期,则删除掉过期的验证码,然后与 配置文件中的验证码进行遍历比对是否有与此传入的验证码组匹配的组,若匹配就验证成功,否则失败。The method for verifying the multi-session verification code in the CGI web interface is characterized in that the user inputs the corresponding verification code according to the number of the verification code picture on the displayed page, and when submitting the verification code, the user first judges the input verification code and the page. The verification code number displayed by the verification code image is consistent, and then click to log in or submit. The page will input the four-digit verification code input by the user, the unique identification code of the page and the current time to form a verification code group input by the user into the background. The verification process begins. The verification process is as follows: After the user verification code group is passed into the background, the verification module first checks whether the verification code has timed out at the current time in the configuration file for saving the verification code. If it has not expired, then The verification code in the configuration file is traversed to compare whether there is a group matching the incoming user verification code group. If the matching is successful, the verification succeeds; otherwise, if the verification code expires, the expired verification code is deleted, and then The verification code in the configuration file is traversed to see if there is a group matching the incoming verification code group. If it matches, the verification is successful, otherwise it fails.
  6. 根据权利要求5所述的方法,其特征在于,每一个页面都独立执行验证码的验证过程,使得验证过程更加安全,利用C++的特性,使得并发性更强,实现了多会话验证码的验证功能。The method according to claim 5, wherein each page independently performs a verification process of the verification code, so that the verification process is more secure, and the C++ feature is used to make the concurrency stronger, and the verification of the multi-session verification code is realized. Features.
  7. 根据权利要求5所述的方法,其特征在于,本发明还能够直接进行验证码的校验,而不用校验验证码的有效性,即验证码是否已经过期,但这样使得验证码会大量堆积而占用了内存。The method according to claim 5, characterized in that the present invention is also capable of directly performing verification of the verification code without verifying the validity of the verification code, that is, whether the verification code has expired, but the verification code is accumulated in a large amount. It takes up memory.
  8. 根据权利要求5所述的方法,其特征在于,本发明还能够不用C++,而直接在页面产生验证码在页面就进行验证,但是这样可能使得***不安全,因为一些恶意用户会绕过页面的验证直接与服务端通信,所以必须在服务端也进行校验,防止恶意攻击。 The method according to claim 5, wherein the present invention is also capable of verifying the page directly on the page without C++, but this may make the system insecure because some malicious users bypass the page. Verification communicates directly with the server, so it must be verified on the server to prevent malicious attacks.
PCT/CN2014/089249 2013-10-30 2014-10-23 Cgi web interface multi-session verification code generation and verification method WO2015062441A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310526516.5 2013-10-30
CN201310526516.5A CN103532979A (en) 2013-10-30 2013-10-30 Method for generating and verifying multi-conversation verification codes under CGI (common gateway interface) for web

Publications (1)

Publication Number Publication Date
WO2015062441A1 true WO2015062441A1 (en) 2015-05-07

Family

ID=49934658

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/089249 WO2015062441A1 (en) 2013-10-30 2014-10-23 Cgi web interface multi-session verification code generation and verification method

Country Status (2)

Country Link
CN (1) CN103532979A (en)
WO (1) WO2015062441A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483435A (en) * 2017-08-11 2017-12-15 青岛海尔多媒体有限公司 Verify the method and device of code check
CN111460340A (en) * 2020-04-03 2020-07-28 北京四维智联科技有限公司 Method and device for generating embedded page address of TOM (time of flight management) system

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532979A (en) * 2013-10-30 2014-01-22 蓝盾信息安全技术股份有限公司 Method for generating and verifying multi-conversation verification codes under CGI (common gateway interface) for web
CN106257480A (en) * 2015-06-05 2016-12-28 北京京东尚科信息技术有限公司 A kind of method and device preventing the robot tool malicious access page
CN105357693A (en) * 2015-09-28 2016-02-24 深圳市江波龙科技有限公司 Method and system for network configuration of WiFi equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020157007A1 (en) * 2001-04-18 2002-10-24 Nec Corporation User authentication system and user authentication method used therefor
CN101178813A (en) * 2007-12-19 2008-05-14 腾讯科技(深圳)有限公司 Method and apparatus for generating photograph identifying code
CN101252439A (en) * 2008-04-10 2008-08-27 北京飞天诚信科技有限公司 System and method for increasing information safety equipment security
CN102624705A (en) * 2012-02-21 2012-08-01 西南石油大学 Intelligent image verification method and intelligent image verification system
CN103179088A (en) * 2011-12-21 2013-06-26 腾讯科技(深圳)有限公司 Protection method and protection system of common gateway interface business
CN103532979A (en) * 2013-10-30 2014-01-22 蓝盾信息安全技术股份有限公司 Method for generating and verifying multi-conversation verification codes under CGI (common gateway interface) for web

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047537A (en) * 2006-03-30 2007-10-03 盛趣信息技术(上海)有限公司 Log-on method for network pass
CN101072095B (en) * 2007-03-30 2010-11-24 腾讯科技(深圳)有限公司 Control method and device for file downloading
CN102469091B (en) * 2010-11-18 2014-12-10 金蝶软件(中国)有限公司 Method for processing verification codes of pages, device and terminal
CN102255917B (en) * 2011-08-15 2014-09-03 北京宏基恒信科技有限责任公司 Method, system and device for updating and synchronizing keys of dynamic token
CN103312512B (en) * 2013-06-07 2016-03-02 深圳第七大道网络技术有限公司 A kind of generation method of picture validation code and device, auth method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020157007A1 (en) * 2001-04-18 2002-10-24 Nec Corporation User authentication system and user authentication method used therefor
CN101178813A (en) * 2007-12-19 2008-05-14 腾讯科技(深圳)有限公司 Method and apparatus for generating photograph identifying code
CN101252439A (en) * 2008-04-10 2008-08-27 北京飞天诚信科技有限公司 System and method for increasing information safety equipment security
CN103179088A (en) * 2011-12-21 2013-06-26 腾讯科技(深圳)有限公司 Protection method and protection system of common gateway interface business
CN102624705A (en) * 2012-02-21 2012-08-01 西南石油大学 Intelligent image verification method and intelligent image verification system
CN103532979A (en) * 2013-10-30 2014-01-22 蓝盾信息安全技术股份有限公司 Method for generating and verifying multi-conversation verification codes under CGI (common gateway interface) for web

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483435A (en) * 2017-08-11 2017-12-15 青岛海尔多媒体有限公司 Verify the method and device of code check
CN111460340A (en) * 2020-04-03 2020-07-28 北京四维智联科技有限公司 Method and device for generating embedded page address of TOM (time of flight management) system
CN111460340B (en) * 2020-04-03 2023-09-26 北京四维智联科技有限公司 Method and device for generating TOM system embedded page address

Also Published As

Publication number Publication date
CN103532979A (en) 2014-01-22

Similar Documents

Publication Publication Date Title
CN110493202B (en) Login token generation and verification method and device and server
JP6882254B2 (en) Safety verification methods based on biological characteristics, client terminals, and servers
US11068576B2 (en) Hardening security images
TWI522836B (en) Network authentication method and system for secure electronic transaction
US8041954B2 (en) Method and system for providing a secure login solution using one-time passwords
CN110149328B (en) Interface authentication method, device, equipment and computer readable storage medium
CA2591968C (en) Authentication device and/or method
US20150317469A1 (en) Dynamic interactive identity authentication method and system
WO2015062441A1 (en) Cgi web interface multi-session verification code generation and verification method
Archana et al. Survey on usable and secure two-factor authentication
US9654466B1 (en) Methods and systems for electronic transactions using dynamic password authentication
CN105656862A (en) Authentication method and device
US20160044025A1 (en) System and method for security enhancement
JP2007280393A (en) Device and method for controlling computer login
TW201544983A (en) Data communication method and system, client terminal and server
CN106101140B (en) A kind of method and server of authentification of message
CN101207483A (en) Bidirectional double factor authentication method
CA2611549C (en) Method and system for providing a secure login solution using one-time passwords
CN111949952A (en) Method for processing verification code request and computer-readable storage medium
US20220158986A1 (en) Non-stored multiple factor verification
Wong et al. Towards Biometric-based Authentication for Cloud Computing.
CN1271525C (en) Computer system landing method
CN111127019B (en) Method, system and device for backing up mnemonic words
CN113794571A (en) Authentication method, device and medium based on dynamic password
CN113078999A (en) Password security encryption storage mode

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14857880

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 17.11.16)

122 Ep: pct application non-entry in european phase

Ref document number: 14857880

Country of ref document: EP

Kind code of ref document: A1