#System sequence diagram online shopping login password#
Note: If you're doing it with Java, do not use a String to store the password object as it is immutable. Return a generic validation error (enter both username and password). Return a failure with a generic message.Įlse (from 2-negative: both credentials have not been entered)Ī. the row is not present no user exists with that user name.Optional: send an email to the registered user informing them of a failed login attempt.Here, if you're also keeping track of failed login attempts, increment the number and if it exceeds the maximum allowed consecutive failures, block the account.return a failure with a generic message (don't give a potential attacker more information than necessary).If it doesn't match (incorrect password for specified user) If you're keeping track of unsuccessful login accounts, zero this number (login was successful). If it matches, handle the successful login most likely you'll want to put a Principal object in the session to identify the logged in user. On the server, get the row corresponding with the user you want to validate.Ĭompare the hash you got in (2a) with what's in the database. On the server, hash the password from step (1) with whatever algorithm you're using (see here don't use md5 any more, there are several reasons it's no longer a good candidate such as hash collision and speed issues). If both credentials have been entered, for example a valid email address for the username and a password (anything) then:Ī. User enters credentials (username, password) over a https connection.Breaking it down into steps (no diagram): The type of login your diagram represents is form-based authentication.