HTTP身份验证以及如何的类型来设计一个安全的数据库? [英] Types of HTTP authentication and how to design a secure database?
问题描述
几个月前,我曾在该允许用户建立一些类型的事件,并张贴他们为XML / JSON文件到Web服务器在iOS(iPhone)的应用。然后通过其设备,他们能够观看来自不同的用户的事件等。
打造整个事情的想法是pretty基础。当应用程序首次启动时,应用程序连接到一个URL和请求用户标识(它是对每个用户是唯一的)。然后每次用户要发布的东西时,我们使用HTTP基本身份验证和发来的报头中的用户ID,并且包含所有关于创建事件的信息的XML文件。我从来没有工作在服务器端,所以我不知道整个系统的安全性如何了。
几天前,我开始对我的一个应用,这是同样的想法工作,所以我第一次开始在服务器端(PHP)工作。之前,我开始我想去看我的previous项目是如何安全的是,我很震惊,没有任何形式的担保。只需通过一个简单的网络调试器(嗅探器),我能看到我的应用程序连接到要求用户ID,是如何发送到数据库和服务器如何回答每个XML文件的形式。
因此,如果有人只是想洪水一百万的用户ID或一百万事件数据库,这将是非常容易地创建一个PHP脚本来做到这一点。在这种情况下,我们使用HTTP基本验证。
我现在的问题是,我该用什么样的身份验证,所以这是不可见的服务器和用户(XML)之间的交换方式是什么样的文件,我该如何设计注册机制,让别人不能创造一百万的IDS用一个简单的脚本。
我不希望建立一个超级安全的应用程序,而是一个至少有一些基本类型的安全。由于我很新的PHP,你可以给我一些链接,检查哪些安全机制,我应该使用,甚至更好一些教程。此外,如果你开发你用什么样的安全和你会建议之前,这样的事情?
只需通过一个简单的网络调试器(嗅探器),我能看到我的应用程序连接到要求用户ID,是如何发送到数据库和服务器如何回答每个XML文件的形式。
使用SSL prevent人在这方面的中间人攻击。
因此,如果有人只是想洪水一百万的用户ID或一百万事件数据库,这将是非常容易地创建一个PHP脚本来做到这一点。
这是网络通信的本质。使用试探法,以限制不需要的数据的量。一些例子:
- 单个USER_ID可以创建每秒最多一个事件。
- 让客户签署为user_id请求和验证服务器上的签名。
这些都不是万无一失的方法来prevent虐待,但没有绝对安全。建议的方法,将保持了大部分的脚本小子,虽然
Some months ago i worked on an iOS(iphone) application that allowed users to create some kinds of events and post them as XML/JSON files to a web server. Then through their device they were able to view events from different users etc.
The idea to build the whole thing was pretty basic. When the application launched for the first time , the application connected to an URL and asked for a user id (which is unique for every user). Then every time the user wanted to post something , we used HTTP Basic Authentication and sent as a header the users id and an XML file which contained all the information about the event created. I never worked on the server side , so i had no idea how secure the whole system was.
A few days ago i started working on an application of mine , which is the same idea , so i first started working on the server side(php). Before i started i wanted to see how secure the previous project of mine was and i was shocked there was no security of any kind. Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.
So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that. In this case we used HTTP Basic Authentication.
My question now is , what kind of authentication shall i use , so that is not visible what kind of files are exchanged between the server and the user (XML) , and how can i design the sign up mechanism so someone cant create a million ids with a simple script.
I don't want to build a super secure application , but one that at least has some basic kind of security. As i am very new to php , you could give me some links to check on what security mechanisms i should use or even better some tutorials. Also if you developed something like this before what kind of security did you use and what would you suggest?
解决方案Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.
Use SSL to prevent man-in-the-middle attacks.
So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that.
That's the nature of network communication. Use heuristics to limit the amount of unwanted data. Some examples:
- A single user_id can create at most one event per second.
- Let the client sign the request for a user_id and verify the signature on the server.
These are not sure-fire ways to prevent abuse, but there is no total security. The suggested methods will keep out most of the script kiddies, though.
这篇关于HTTP身份验证以及如何的类型来设计一个安全的数据库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
