对于Android应用程序的身份验证模式 [英] Authentication model for Android application
问题描述
我要建立一个系统,它有2个部分: 1. PHP网站(CakePHP的)。 2.移动应用(Android的&安培; iPhone)。
I going to build a system which have 2 part: 1. PHP Website (CakePHP). 2. Mobile application (Android & iPhone).
用户必须与USR和放大器登录; PWD用我的系统(Web和移动应用程序)。但我没有与用户身份验证的很多经验。我应该怎么保存:USR和放大器; PWD,标记字符串。我想找到一个用户身份验证模式我的系统(Web和移动应用程序)。
User must login with usr&pwd to use my system(web and mobile application). But i don't have a lot experiences with user authentication. What should i store: usr&pwd, token string. I want to find an "user authentication model" for my system (Web and Mobile application).
有没有人有关于用户认证体验。任何人都知道如何实现这一点?任何样品code?帮我PLZ:)
Is there anybody have experience about user authentication. Anybody know how to implement this? Any sample code? Help me plz:)
推荐答案
这是我们做什么,我们的应用程序,
This is what we do for our applications,
-
首先我们发送的用户名和密码到服务器,从我们的应用程序。
First we send a username and a password to the server from our application.
在服务器上,他们验证凭据并返回响应是请求令牌和sucess标志的组合。
At the server, they authenticate the credentials and return a response which is combination of a request token and sucess flag.
在我们的applicatoin,我们检查sucess标志。如果设置为true,我们将保存请求令牌,并用它为所有的下一个传出请求到服务器。
In our applicatoin, we check the sucess flag. If its set to true, we save the request token and use it for all the next outgoing requests to the server.
现在当服务器接收到一个请求,它会检查数据库,看看用户是否有此标记。 如果是的话,它会检查其中的最后一个请求是的时间。(这是处理案件时,用户登录超时)。如果当前时间和最后请求时间之间的差超过设置的限制,则responsd到一个新鲜的登录请求需要产生新令牌的应用。否则,你继续提出请求和结果作出回应。
Now when the server receives a request, it checks the database to see if a user has this token. If it does, it checks the time in which the last request was made.(This is to handle cases when user login is timed out.). If the difference between the current time and the last request time is more than the limit you set, you responsd to the application that a fresh login request is required to generate a new token. Otherwise you continue with the request and respond with the results.
这是服务器端的家伙在我的工作是怎么做的。在客户端即时工作。但是,这基本上是做了什么。
This is how the server side guys in my workplace does it. Im work on the client side. But this is basically what is done.
编辑:关于令牌。 这是与一个随机发生器方法生成它基本上是一个32个字符的字符串。因此,当一个用户请求登录,而且登录成功,我们创建使用生成方法和商店,到我们的服务器数据库中的用户请求令牌以及当前时间和日期的标记。
About the token. Its basically a 32 character string which is generated with a random generator method. So when a user sends a login request and the login is success, we create a token using the generator method and store that into our server database as the users request token along with the current time and date.
因此,当用户再次发送请求疗法的服务器,我们先来标记,并检查用户是否存在与该令牌。如果有,那么接下来的检查,看看这是一些老的请求令牌。因此,我们查看当前的时间与保存在数据库中的时间。如果请求之前,限制发送(例如5分钟),那么我们更新了最后一个请求的时间与当前时间的数据库,并将结果返回给客户端。
So when the user sends another request to ther server, we first take the token and check if a user exists with that token. If there is, then the next check is to see if this is some old request token. So we check the current time with the time saved in the database. If the request was sent before the limit (Eg 5 mins) then we update the last request time in the database with the current time and return the result to the client.
通过这种方法你有种被检查令牌和最后一个请求的时间做对每个请求的认证。
With this method you are kind of doing an authentication for each request by checking the token and the last request time.
假设你想被记录在所有的时间您的应用程序,直到用户显式注销。在这种情况下,你不需要检查每个请求的时间。所有你需要做的是保存请求令牌的客户端设备上。并且当用户退出,从客户端删除该标记。于是,他将被要求在下一次登录,因为他没有标记。它有点更安全保存在客户端设备上的请求令牌不是保存在这个方案中的用户名和密码。
Suppose you want your app to be logged in all the time until the user explicity logs off. In that case you do not need to check for each request time. All you need to do is save the request token on the client device. And when the user signs out, delete the token from the client. So he will be required to login the next time as he has no token. Its a bit more secure to save a request token on the client device than saving a username and password in this scenario.
有许多功能在那里产生随机令牌。
There are many functions out there for generating random tokens.
这篇关于对于Android应用程序的身份验证模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
