令牌认证-存储令牌的位置 [英] Token authentication - where to store the token

问题描述

目前，我正在使用PHP和Laravel，我有一个宁静的api，用户需要使用该api进行身份验证，以确保他们只能访问自己拥有的东西等.

I am working with PHP and Laravel at the moment, I have a restful api that the user needs to authenticate with to make sure they can only access things they own etc.

我想知道的是，来自服务器的令牌应保存在客户端的什么位置?在会话中使用cookie?服务器数据库?

What I want to know is where should the token from the server be saved on the client? In a session a cookie? The servers database?

推荐答案

我建议走以下路线:

1. 用户登录到您的网站并请求API使用令牌
2. 当收到对您的API的新请求时，将传入请求中的令牌与数据库中的令牌进行比较.如果找到，则为有效请求. REST客户端可以使用Authorization标头发送令牌.
3. 发送请求的答案

1. the user logs into your site and requests a API usage token
2. when a new request to your API comes in, compare the token from the incomming request, with the token in the db. if it is found, it's a valid request. the REST client could use the Authorization header to send the token.
3. send the answer for the request

虽然您网站的登录系统可能是基于会话的客户端cookie，但是REST API是基于令牌的，不需要cookie或会话.

While the login system of your website, might be session-based with cookies on client-side, the REST API is token-based and doesn't need a cookie or session.

请查看以下内容以获取更多详细信息: https://softwareengineering.stackexchange.com/a/141434/111803

Please take a look at this for more details: https://softwareengineering.stackexchange.com/a/141434/111803

这篇关于令牌认证-存储令牌的位置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！