如何在 REST API 中使用会话 [英] How to make use of session in REST API
问题描述
我在一些公司的 REST 网络服务文档中看到,在步骤 1 中要求 APIkey,他们将返回服务器时间和到期时间以及 auth_key 作为响应.在第 2 步的登录用户名密码和 apikey 和 auth_key 的 md5 中,它将返回 session id .在剩下的步骤中,用户仅发送会话 ID.怎么可能?通过会话?我很困惑,请帮助我解决这个问题
i saw in some company REST web-service documentation ,in step1 asking for APIkey and they will return server time and expiry time and auth_key as a response. In step2 for login user name password and md5 of both apikey and auth_key it will return session id . In remaining step user only to send session id. how it possible?by session ? i'm confused,please help me anyone regarding this
推荐答案
他们实际上并没有使用 PHP session_start() 意义上的 session.他们真正在做什么可以通过几个步骤来解释:
They aren't actually making use of a session in the sense of a PHP session_start(). What they're really doing can be explained in a few steps:
- 您要求提供 API 密钥:
- You ask for an API key:
- 服务然后生成一个具有生命周期的
auth_key - 将生成的
api key、auth_key和expiry保存到数据库表中.api 键很可能是表上的唯一索引. - 向用户发送包含生成的
api 密钥、auth_key和密钥的expiry的响应.
- The service then generates an
auth_keywith a lifetime - Saves the generated
api key,auth_keyandexpiryto a database table. Theapi keyis very likely a UNIQUE index on the table. - Sends a response to the user containing the generated
api key,auth_keyand theexpiryof the keys.
md5(api_key . auth_key) 一起发送:我希望您可能还会在标题中发送 api 密钥.
md5(api_key . auth_key): I expect that you likely also send the api key along in a header.
- 首先使用接收到的
api key查询数据库表 - 检索
auth_key值和到期时间 - 检查
auth_key是否已过期;如果没有 - 计算
md5(api_key . auth_key) - 将其与您请求中的
md5(api_key . auth_key)进行比较 - 如果相同,则检查您的登录详细信息
- 如果登录详细信息正确,则会生成与
已验证帐户相关联的唯一 - 它将这些详细信息保存到另一个数据库表中:
session_id、account_id.我在这里使用帐户 ID,因为它最有可能使用. - 它将此
session_id返回给您的客户端
session_id- It first uses the received
api keyto query the database table - Retrieves the
auth_keyvalue and expiry - Checks that the
auth_keyhas not expired; if it hasn't - Computes the
md5(api_key . auth_key) - Compares it to the
md5(api_key . auth_key)from your request - If it is the same, then it checks your login details
- If the login details are correct, it generates a unique
session_idassociated to theauthenticated account - It saves these details to another database table:
session_id,account_id. I'm using account id here because it's the most likely to use. - It returns this
session_idto your client
session_id 发送的每个请求都这样工作:
session_id then works like so:
- 它从请求中检索
session_id - 它尝试从数据库中检索与
session_id关联的帐户 - 如果找到/有效并且您具有执行操作的访问/权限,它会执行命令.
综上所述,就是整个流程;这就是为什么我之前说过,当您执行 session_start() 时,它不会以会话的工作方式使用会话;这意味着他们不能做像 $_SESSION 这样的事情.您还应该知道,尝试使用 session_start 为 RESTful API 进行会话不是 RESTful.
In summary, that is the entire flow; which is why I said earlier that it doesn't use sessions in the way sessions work when you do a session_start(); meaning they can't do something like $_SESSION.
You should also know that trying to do sessions using session_start for a RESTful API is NOT RESTful.
由于 Rajan 的评论而更新
@Rajan 这个答案只是基于问题的解释;你不应该想太多.回答你的问题;将 API 密钥和身份验证密钥视为有助于识别用户的流程的两个部分:
@Rajan this answer was just an explanation based on the question; you shouldn't think too much about it. To answer your question; look at the API key, and Auth key as 2 parts of a process that helps identify a user:
- 一个公共:API 密钥
- 一个私有:身份验证密钥
每次发送请求时,都会发送公钥,以及通过组合公钥和私钥生成的字符串.服务器获取公钥,搜索有效的私钥,并尝试使用相同的公式计算该值,然后最终将其生成的内容与您生成的内容进行比较.
Every time you send a request, you send the public key, and a string generated from combining the public, and private key. The server takes the public key, searches for a valid private key, and tries to compute the value using the same formula, then finally compared what it generates, to what you generated.
如果相同,则继续处理;如果它们不同,则终止执行.
If they're the same, it continues processing; if they're different, it terminates execution.
上面的会话 id 的有效性可以是任何你想要的,通常它是长期存在的(可能持续 30 天).
The validity of the session id above can be anything you want, usually it'll be long-lived (can probably last up to 30 days).
希望这能回答您的问题吗?
Hope this answers your question?
这篇关于如何在 REST API 中使用会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
