在PHP基于令牌的认证 [英] token based authentication in php
问题描述
我有我的web服务器的REST服务,用PHP编写的。我想知道,什么是最好的验证(除了基本的HTTP访问身份验证)。
我heared基于令牌的身份验证,并且想问一下,如果有人可以解释的主要步骤。
I have an REST service on my webserver, written in php. I was wondering, what would be the best authentication (besides basic http access authentication). I've heared of token-based auth, and would like to ask if someone could explain the main steps.
- 在一个GET:是令牌发送可见? (是不是不安全?)
- 如何使令牌唯一有效的特定时间?
- ...
客户端:Android的/浏览器;服务器:Apache,PHP5
Client: Android/Browser; Server: Apache, PHP5
推荐答案
这是可以做到无论哪种方式,并在一个GET请求的值是不是真的比任何POST请求中的价值更加明显。如果有人可以看到(即拦截的)的要求,他所看到的一切你发送。在最后一个HTTP请求仅仅是可能跟着身体一帮HTTP标头。 URL是发送第一 GET /富/酒吧HTTP / 1.1
行,其他值都只是在发送不同,下面几行。
It can be done either way, and values in a GET request aren't really any more visible than values in a POST request. If anybody can "see" (i.e. intercept) the request, he can see everything you're sending. In the end an HTTP request is just a bunch of HTTP headers possibly followed by a body. The URL is send in the first GET /foo/bar HTTP/1.1
line, other values are just send in different, following lines.
所以,它给你,你期望被发送身份验证令牌。你可以要求它是附加到每个请求的查询参数:
So it's up to you where you expect your authentication token to be send. You can require it to be a query parameter that is appended to every request:
GET /foo/bar?user=123456&token=abcde...
要真正使用HTTP协议,就像预期的,你应该使用授权
HTTP头:
To really use the HTTP protocol as intended though, you should use the Authorization
HTTP header:
Authorization: MyScheme 123456:abcde...
这头的内容完全取决于你。它通常规定如基本
,其次是无论你想要求进行身份验证的授权方法。这可以简单地将用户名和密码,它们的哈希,一个不透明的令牌客户端已经在某些时候或其他任何获得真正的。
The content of this header is entirely up to you. It usually specifies an authorization method like Basic
, followed by whatever you want to require for authentication. This can simply be the username and password, a hash of them, an opaque token the client has obtained at some point or anything else really.
我建议令牌系统或请求签名系统,而后者是很preferred。在请求签名系统,客户端必须从你获得的令牌。然后它发送的请求的此标记和某些特征的散列来验证请求,例如 SHA1(令牌+时间戳+请求URL +请求体)
。您的服务器可以验证这一点,而无需派遣令牌在每个请求的纯文本的客户端。
I'd recommend a token system or a request signing system, with the latter being very much preferred. In a request signing system, the client has to obtain a token from you. It then sends a hash of this token and certain characteristics of the request to authenticate the request, e.g. sha1(Token + Timestamp + Request URL + Request Body)
. Your server can validate this without the client having to send the token in plain text on each request.
如何使令牌唯一有效的特定时间?
How do I make the token only valid for a specific time?
您保存令牌服务器端使用过期时间戳和对证。
You save the token server-side with an expiration timestamp and check against it.
这篇关于在PHP基于令牌的认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!