通过 api 注册和验证新的应用程序用户 [英] Registering and authenticating new app user over api
问题描述
我有一个 Android 应用程序,它连接到 .Net api
以接收/设置数据.我的困惑在于如何第一次注册/登录用户并在他每次向 api 发出请求时对其进行身份验证.
I have an Android app that connects to a .Net api
for receiving/setting data. The confusion that I have is regarding how to signup/login the user first time and authenticate it every time he makes a request to the api.
- 如果我只使用基于
username/password
的身份验证,那就是够安全吗?我是否应该将该username/password
保存在设备中对服务器的每个api
请求进行身份验证,然后服务他的要求? - 我是否应该在注册时为每个用户发布一个
GUID
,将其保存在他们的设备并在api
请求期间每次检索?
- If I just use
username/password
based authentication would that be safe enough? And should I save thatusername/password
in the device for everyapi
request to the server authenticate him and then serve his request? - Should I issue a
GUID
for every user at the signup, save it in their device and retrieve every time during anapi
request?
还有哪些其他可用的模式以及哪些模式最有效和最安全.
What other patterns are available and which are most efficient and secure.
推荐答案
第一个重要注意事项 - 不要将密码存储在任何地方 - 在您的数据库存储中,它是经过哈希处理的,而不是纯文本.
First important note - don't store passwords anywhere - in your DB store it hashed and not in plain text.
通常,您需要一个流程,您可以在其中为用户创建会话并将其用于后续请求.因此,当您的用户登录时,您验证用户/密码哈希组合并为用户发出会话.在您的应用程序中,您存储会话并在以后的请求中使用它,直到用户注销或会话过期(通常您为会话设置过期时间).
In general, you want a flow where you create a session for the user and use that on subsequent requests. So, when your user logs in you validate the user/password hash combination and issue a session for the user. In your application you store the session and use it on future requests, until the user logs out or the session expires (usually you set an expiration to sessions).
您还可以查看一些通用身份验证流程,例如 oauth2.
There are also some generic auth flows you can look at, like oauth2.
我还强烈建议您提供一些有关身份验证流程最佳实践的文档.
你可以从这些开始:
I also strongly suggest going throw some documentation on authentication flows best practices.
You can start with these:
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
http://codingkilledthecat.wordpress.com/2012/09/04/some-best-practices-for-web-app-authentication/
这篇关于通过 api 注册和验证新的应用程序用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!