通过客户端SDK Facebook验证 - 安全观 [英] facebook authentication via Client SDK - Security Concept
问题描述
我想我不完全理解Facebook的OAuth的API处理身份验证的方式。据我了解,它的工作原理基本上是这样的(客户端是一款Android手机,我的服务器标准的LAMP-设置):
I think I don't fully understand the way the facebook OAuth-API handles authentication. As far as I understand, it works basically like this (client being an Android phone, my server a standard LAMP-setup):
现在的问题是,客户当然也可以通过提交一个错误的用户ID,以我的服务器假冒步数3 - 如果我的服务器响应请求的 http://server.com/getConfidentialData.php?fbID=%FBID% 和用户设法得到别人的FB-用户ID,他可能只是将其写入请求,他会得到属于别人的数据。
Now the issue is, the client can of course fake step number 3 by submitting a wrong userID to my server - for example if my server responds to the request http://server.com/getConfidentialData.php?fbID=%FBID% , and the user manages to get the fb-userID of someone else, he could just put that into the request and he'd get the data that belongs to someone else.
如果我使用的PHP-SDK,怎么能知道我的用户是否登录在Android的App或不?
If I use the PHP-SDK, how can it know whether my user is logged in in the Android-App or not?
是,这是应该在上班的路上,还是我失去了一些东西?
Is that the way it's supposed to work, or am I missing something?
谢谢,
大卫。
Thanks, David.
推荐答案
唯一真正的解决办法:
您有私人用户数据的服务器,而不是一切都在Facebook上的那一刻,你需要做的服务器端登录这并不难实现,一旦你了解了流程。
The moment you have a server with private user data and not everything is on Facebook, you need to do the server-side login which is not hard to implement once you understand the flow.
在检查实图,并按照他们在这个例子中提供的指引,你是好去。
Check the diagram at Facebook and follow the guidelines they provide in this example and you are good to go.
https://developers.facebook.com/docs/howtos /登录/服务器端的登录/
这篇关于通过客户端SDK Facebook验证 - 安全观的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
