I have a partially finished sequence diagram but it needs more detail. Once the user has been retrieved from the database how does the system decide whether to accept or reject a login. I mean how do I implement it to my sequence diagram:
The type of login your diagram represents is form-based authentication. Breaking it down into steps (no diagram):
User enters credentials (username, password) over a https connection.
Đang xem: Sequence diagram đăng nhập
If both credentials have been entered, for example a valid email address for the username and a password (anything) then:
a. On the server, hash the password from step (1) with whatever algorithm you”re using (see here; don”t use md5 any more, there are several reasons it”s no longer a good candidate such as hash collision and speed issues). Also see here.
b. On the server, get the row corresponding with the user you want to validate.
If the row is present:
compare the hash you got in (2a) with what”s in the database.
If it matches, handle the successful login; most likely you”ll want to put a Principal object in the session to identify the logged in user. If you”re keeping track of unsuccessful login accounts, zero this number (login was successful).
If it doesn”t match (incorrect password for specified user)
return a failure with a generic message (don”t give a potential attacker more information than necessary). Here, if you”re also keeping track of failed login attempts, increment the number and if it exceeds the maximum allowed consecutive failures, block the account. Optional: send an email to the registered user informing them of a failed login attempt.
the row is not present; no user exists with that user name. Return a failure with a generic message.
Else (from 2–negative: both credentials have not been entered)
a. Return a generic validation error (enter both username and password). Don”t send anything to the server.
Note: If you”re doing it with Java, do not use a String to store the password object as it is immutable. Store it in a char<> array that you can clear as soon as the password is no longer needed.