在PHP基于令牌的认证 [英] token based authentication in php
问题描述
我有我的web服务器的REST服务,用PHP编写的。我想知道,什么是最好的验证(除了基本的HTTP访问身份验证)。
我heared基于令牌的身份验证,并且想问一下,如果有人可以解释的主要步骤。
I have an REST service on my webserver, written in php. I was wondering, what would be the best authentication (besides basic http access authentication). I've heared of token-based auth, and would like to ask if someone could explain the main steps.
- 在一个GET:是令牌发送可见? (是不是不安全?)
- 如何使令牌唯一有效的特定时间?
- ...
客户端:Android的/浏览器;服务器:Apache,PHP5
Client: Android/Browser; Server: Apache, PHP5
推荐答案
这是可以做到无论哪种方式,并在一个GET请求的值是不是真的比任何POST请求中的价值更加明显。如果有人可以看到(即拦截的)的要求,他所看到的一切你发送。在最后一个HTTP请求仅仅是可能跟着身体一帮HTTP标头。 URL是发送第一 GET /富/酒吧HTTP / 1.1 行,其他值都只是在发送不同,下面几行。
It can be done either way, and values in a GET request aren't really any more visible than values in a POST request. If anybody can "see" (i.e. intercept) the request, he can see everything you're sending. In the end an HTTP request is just a bunch of HTTP headers possibly followed by a body. The URL is send in the first GET /foo/bar HTTP/1.1 line, other values are just send in different, following lines.
所以,它给你,你期望被发送身份验证令牌。你可以要求它是附加到每个请求的查询参数:
So it's up to you where you expect your authentication token to be send. You can require it to be a query parameter that is appended to every request:
GET /foo/bar?user=123456&token=abcde...
要真正使用HTTP协议,就像预期的,你应该使用授权 HTTP头:
To really use the HTTP protocol as intended though, you should use the Authorization HTTP header:
Authorization: MyScheme 123456:abcde...
这头的内容完全取决于你。它通常规定如基本,其次是无论你想要求进行身份验证的授权方法。这可以简单地将用户名和密码,它们的哈希,一个不透明的令牌客户端已经在某些时候或其他任何获得真正的。
The content of this header is entirely up to you. It usually specifies an authorization method like Basic, followed by whatever you want to require for authentication. This can simply be the username and password, a hash of them, an opaque token the client has obtained at some point or anything else really.
我建议令牌系统或请求签名系统,而后者是很preferred。在请求签名系统,客户端必须从你获得的令牌。然后它发送的请求的此标记和某些特征的散列来验证请求,例如 SHA1(令牌+时间戳+请求URL +请求体)。您的服务器可以验证这一点,而无需派遣令牌在每个请求的纯文本的客户端。
I'd recommend a token system or a request signing system, with the latter being very much preferred. In a request signing system, the client has to obtain a token from you. It then sends a hash of this token and certain characteristics of the request to authenticate the request, e.g. sha1(Token + Timestamp + Request URL + Request Body). Your server can validate this without the client having to send the token in plain text on each request.
如何使令牌唯一有效的特定时间?
How do I make the token only valid for a specific time?
您保存令牌服务器端使用过期时间戳和对证。
You save the token server-side with an expiration timestamp and check against it.
这篇关于在PHP基于令牌的认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
