Concluding thoughts caused by a SMS verification code function

Concluding thoughts caused by a SMS verification code function

Explore the technology behind simple functions.


Yesterday, I saw an address where new users can receive a 14-day membership of the XDeng reading APP for free. It's 2020, and it's about to start reading. Seeing that the activity is on the laptop, I use the laptop browser to visit the activity page , enter the phone number, receive the verification code, fill in the verification code, and claim this member. I thought that everything ended smoothly in this way, but it was not. Filling in the verification prompts "network error". This is unscientific. As a programmer, I subconsciously pressed F12 and opened it , so I saw the following error, as shown in the figure:

Take a screenshot of the error separately:

The simpler point is that there is a cross-domain problem. I thought about it, and it is estimated that this activity is aimed at the mobile terminal. I used the PC terminal to access it, which led to cross-domain access. This place is not well designed.

So use your mobile phone to visit the activity page address, open it normally, fill in the mobile phone number, and then prompt:

I just sent verification codes to my PC a few times, and the design of this place still takes security into consideration, which is not bad.

I can only wait. From the perspective of development, this means that my phone number can only send a fixed number of verification codes within a fixed time period. If the number exceeds this number, it will not be sent to me. One is for security considerations. Another possibility is cost considerations (to prevent SMS verification codes from being swiped).

After a while, I went to the mobile phone to try to claim it, and found that everything went well and the claim was successful.

If you see that the partner here is a new user and is also a little interested in reading, you can receive this member to experience it. Address:

It should be over here, but as a developer, I think I need to briefly organize this short-term function, because although this function seems simple, there are many points that need to be paid attention to and considered.

SMS verification code design summary

In the age of the Internet, sending SMS verification codes has become an indispensable feature in many products. There are also many scenarios used, such as registration and login, bank transfers, marketing activities, etc. (There are really many scenarios, so I won't give more examples).

When sending verification, in fact, many companies use third-party SMS services. This SMS service requires a fee. There is no free lunch in the world. Then it appears SMS Bomber - black tool brush SMS .

SMS Bomber is a software that uses a written program to scan text messages in large quantities. It can scan text messages by automatically submitting mobile phone numbers and simulating IP in batches.

If you need products that use SMS verification codes, you must formulate restriction rules and design well.

Main principle: The front-end and back-end sending verification codes need to be designed together, so that the relative can be more complete or more perfect. The main idea:

1. Time limit

Send again after xx seconds

Generally, after clicking the verification, a countdown of xx seconds will be performed on the front-end (client) (this countdown can be set according to the specific product and specific business, and many are 60s). In this fixed period of time, users cannot submit multiple requests for sending information.

The specific time limit should consider the attributes of the product itself, the ease of operation, network delay, and the cost of SMS tariffs.

2. Graphic verification code limit + time limit

(1) When you need to send a verification code, first let the user enter the verification code. After the entered verification code is passed, you can request to obtain the SMS verification code, otherwise the obtain verification button will not be activated. (2) After requesting for verification, generally a countdown of xx seconds will be performed on the front-end (client) (this countdown can be determined according to the specific business of the specific product). In this fixed time, the user cannot submit multiple requests for sending information.

At this point, the graphic verification code is not necessarily required. Perhaps in order to have a better user experience, you do not need to enter the graphic verification code at the beginning, and only after the operation reaches a certain amount, you need to enter the graphic verification code. For specific situations, please design according to specific scenarios.

Although this method is commonly used, it is not very useful. People with better skills can bypass this restriction and send SMS verification codes directly. If the front desk counts down 60s, the design of the invalidation time of the backstage verification code must not be 60, usually 5~10 minutes.

3. Mobile phone number + limit on the number of times you can send text messages at a specified time

The same mobile phone number cannot exceed x within a specified time.

When using the same mobile phone number for registration or other operations to send SMS verification codes, the system can restrict this mobile phone number. For example, only 5 SMS verification codes can be sent in 24 hours, and an error will be reported if the limit is exceeded (e.g., system Busy, please try again later). However, this can only avoid manual scanning of text messages. For machines that use different mobile phone numbers to scan text messages in batches, this method is also helpless.

4. IP and Cookie restrictions

Limit the maximum number of same IP/Cookie information

Using Cookie or IP, you can simply identify the same user, and then restrict the same user (for example, only xx short messages can be sent within xx time). However, cookies can be cleaned, IP can be simulated, and the same IP in the local area network will appear in the IP. Therefore, when using this method, you should think about it according to the specific situation.

In this way, on the basis of the third point, it prevents malicious swiping of mobile phone verification code text messages. If the same ip requests to obtain mobile phone verification code text messages multiple times, because the text messages require money, competitors are likely to swipe them maliciously. (We are kind to others, but we must be defensive in our hearts)

5. SMS warning mechanism

Monitor the SMS service, and take care of protection after problems

The above methods may not completely prevent SMS from being swiped. Therefore, we should also implement an early warning mechanism for SMS, that is, when the usage of SMS reaches a certain amount, send an early warning message to the administrator, and the administrator can immediately respond to the SMS. Interface conditions are monitored and protected.

After I sorted out the relevant information, I understood a little bit about the problem that occurred above today. The verification code on the mobile terminal is verified normally, but the PC terminal cannot be verified. It may be that the product design restricts malicious brushing of short messages and restricts cross-domain requests. Or maybe this is a bug.


A seemingly simple function can be simple to do simple, complex or complex. As a technician, understand the business, understand the usage scenarios, understand the number of users, etc., comprehensive consideration, multi-end era, compatibility, etc. consider.

In fact, if you can think about this problem carefully, you can consider it completely if you encounter it in the future, and the developers always say that they do additions, deletions, inspections, and modifications. This function is well designed. It involves additions, deletions, inspections, and modifications, as well as a development pair. Functional design capabilities.

Doing every small function well and improving the user experience from a small place is the common responsibility of product and development.

Finally, I would like to talk about two points, and the friends I saw thought about it:
1. How should the verification code be processed in the background, where is it stored in the memory, cache, or database?
2. What kind of SMS verification code has a good user experience, the content and length of the verification code?

Welcome to leave a message and discuss and exchange together~

The mobile phone verification code is very important, please do not disclose it to strangers~