PHP-将数据从一个站点安全地传递到另一个站点 [英] PHP - Passing data from a site to another site securely

问题描述

我有一个可以接受来自多个站点的请求的站点.有点像升级检查. 这些网站将发送用户名，密码，应用程序版本等信息，然后我的网站将基于此信息发送回复.

I have a site that can take requests from multiple sites. Sort of like a upgrade check. These sites will send info like user names, passwords, app version etc, then my site will send a response based on this info.

基本上这是一个$_GET请求，类似于:

Basically this is a $_GET request, something like:

http://www.mysite.com/?user=boo&password=foo&version=4

我想知道这样做是否会出现安全问题.可以通过某种方式拦截"此数据吗?

I was wondering if there would be any security issues doing stuff like this. Could this data be "intercepted" somehow?

推荐答案

好吧，我强烈建议不在任何情况下(即使在SSL下)也要通过纯文本发送用户名/密码.相反，我建议使用摘要形式的身份验证.

Well, I would highly suggest not sending the username / password across plain text under any circumstance (even when under SSL). Instead, I'd suggest using a Digest form of authentication.

相反，我建议生成一个较大的身份验证令牌(可以使用一个随机的大字符串，长度为128个字符).然后，用户将在自己的应用中安装此令牌".

Instead, I would suggest generating a large authentication token (a random string of large size, 128 characters would work). Then, the users would install this "token" in their app.

现在，当应用检查更新时，它首先向您的服务器发出一个请求，要求获取摘要令牌.这是一个随机的一次性使用令牌，仅用于一个请求.您的应用程序应生成令牌，并以持久格式(文件，内存，数据库等)将其与时间戳一起存储，然后将其发送回去.

Now, when the app checks for updates, it first fires a request to your server asking for a digest token. This is a random, one time use token that's only used for exactly one request. Your application should generate a token, store it in a durable format (file, memory, database, etc) along with the timestamp, and then send it back.

现在，您的应用程序收到此摘要令牌(在此称为$dt).然后，使用已经提供的预配置身份验证令牌对它进行hmac处理.

Now, your application receives this digest token (called $dt here). Then, you hmac it with the pre-configured authentication token that was already given.

$authBit = $username . ':' . $authToken;
$hash = hash_hmac('sha256', $authBit, $digestToken);
$authField = $username . ':' . $hash . ':' . $digestToken;

然后，将$authField发送到服务器.然后，服务器将拆分各部分:

Then, you send the $authField to the server. The server will then split the parts:

list ($user, $hash, $digestToken) = explode(':', $authField);

现在，您首先在数据库中查找用户的身份验证令牌，并将其存储在$authToken中.然后，您查找$digestToken以确保它存在并且它是在60秒前创建的(如果它太短，则可以对其进行调整，但不要使其显着变长).无论哪种方式，都可以从数据库中将其删除(以防止再次使用).

Now, you first lookup the user's authentication token in the database and store it in $authToken. Then, you lookup the $digestToken to make sure that it exists and that it was created less than 60 seconds ago (you can adjust this if it's too short, but don't make it significantly longer). Either way, delete it from the db at this point (to prevent it from being reused).

现在，如果$digestToken存在并且有效，并且您可以找到$authToken，则只需执行以下检查:

Now, if the $digestToken exists and is valid, and you can find a $authToken, then just do the following check:

$stub = $user . ':' . $authToken;
if ($hash == hash_hmac('sha256', $stub, $digestToken)) {
    //valid user
} else {
    //Not valid
}

它的好处是可以更改每个单个HTTP请求的已发送令牌(读取请求流的任何人都将无法从该请求中获取任何敏感信息，除了用户名之外，如果您这样做，则该用户名可能会进一步屏蔽) d喜欢)...

It has the benefit of changing the sent token each and ever single http request (anyone reading the request stream won't be able to get any sensitive information from the request, other than the username which you could mask further if you'd like)...

这篇关于PHP-将数据从一个站点安全地传递到另一个站点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！