Question:
Nowadays, many large websites will display user login on the homepage. In order to prevent malicious refreshes, they will add verification codes, but this will lead to the generation of a large number of sessions and occupy server memory.
Solution:
1. After entering the account password, you will be prompted to enter the verification code. This implementation is simple and I don’t need to explain how to do it
2. To overcome the generation of a large number of sessions, this solution is relatively complicated. It is only for research and fun. For practical applications, the above solution is recommended.
Step 1: Generate a unique verification ID (GUID can be used) and verification code for each visit, and save them to the client using 3DES
Step 2: The server compares the verification code entered by the user with the verification code in 3DES. If they are equal, continue
Step 3: Check whether the unique verification ID has been used recently (memcached can be used). If not, continue
Step 4: Save this unique verification ID to the recently used list
Complete
Note: This solution avoids a lot of session maintenance through encryption, but there will be additional encryption overhead. Use the recently used list to prevent the same verification code from being reused. The "recent" time range can be determined based on the actual situation.