如何在 REST API 中使用会话 [英] How to make use of session in REST API
问题描述
我在一些公司的 REST 网络服务文档中看到,在步骤 1 中要求 APIkey,他们将返回服务器时间和到期时间以及 auth_key 作为响应.在第 2 步的登录用户名密码和 apikey 和 auth_key 的 md5 中,它将返回 session id .在剩下的步骤中,用户仅发送会话 ID.怎么可能?通过会话?我很困惑,请帮助我解决这个问题
i saw in some company REST web-service documentation ,in step1 asking for APIkey and they will return server time and expiry time and auth_key as a response. In step2 for login user name password and md5 of both apikey and auth_key it will return session id . In remaining step user only to send session id. how it possible?by session ? i'm confused,please help me anyone regarding this
推荐答案
他们实际上并没有使用 PHP session_start()
意义上的 session
.他们真正在做什么可以通过几个步骤来解释:
They aren't actually making use of a session
in the sense of a PHP session_start()
. What they're really doing can be explained in a few steps:
- 您要求提供 API 密钥:
- You ask for an API key:
- 服务然后生成一个具有生命周期的
auth_key
- 将生成的
api key
、auth_key
和expiry
保存到数据库表中.api 键
很可能是表上的唯一索引. - 向用户发送包含生成的
api 密钥
、auth_key
和密钥的expiry
的响应.
- The service then generates an
auth_key
with a lifetime - Saves the generated
api key
,auth_key
andexpiry
to a database table. Theapi key
is very likely a UNIQUE index on the table. - Sends a response to the user containing the generated
api key
,auth_key
and theexpiry
of the keys.
md5(api_key . auth_key)
一起发送:我希望您可能还会在标题中发送 api 密钥
.
md5(api_key . auth_key)
: I expect that you likely also send the api key
along in a header.
- 首先使用接收到的
api key
查询数据库表 - 检索
auth_key
值和到期时间 - 检查
auth_key
是否已过期;如果没有 - 计算
md5(api_key . auth_key)
- 将其与您请求中的
md5(api_key . auth_key)
进行比较 - 如果相同,则检查您的登录详细信息
- 如果登录详细信息正确,则会生成与
已验证帐户
相关联的唯一 - 它将这些详细信息保存到另一个数据库表中:
session_id
、account_id
.我在这里使用帐户 ID,因为它最有可能使用. - 它将此
session_id
返回给您的客户端
session_id
- It first uses the received
api key
to query the database table - Retrieves the
auth_key
value and expiry - Checks that the
auth_key
has not expired; if it hasn't - Computes the
md5(api_key . auth_key)
- Compares it to the
md5(api_key . auth_key)
from your request - If it is the same, then it checks your login details
- If the login details are correct, it generates a unique
session_id
associated to theauthenticated account
- It saves these details to another database table:
session_id
,account_id
. I'm using account id here because it's the most likely to use. - It returns this
session_id
to your client
session_id
发送的每个请求都这样工作:
session_id
then works like so:
- 它从请求中检索
session_id
- 它尝试从数据库中检索与
session_id
关联的帐户 - 如果找到/有效并且您具有执行操作的访问/权限,它会执行命令.
综上所述,就是整个流程;这就是为什么我之前说过,当您执行 session_start()
时,它不会以会话的工作方式使用会话;这意味着他们不能做像 $_SESSION
这样的事情.您还应该知道,尝试使用 session_start
为 RESTful API 进行会话不是 RESTful.
In summary, that is the entire flow; which is why I said earlier that it doesn't use sessions in the way sessions work when you do a session_start()
; meaning they can't do something like $_SESSION
.
You should also know that trying to do sessions using session_start
for a RESTful API is NOT RESTful.
由于 Rajan 的评论而更新
@Rajan 这个答案只是基于问题的解释;你不应该想太多.回答你的问题;将 API 密钥和身份验证密钥视为有助于识别用户的流程的两个部分:
@Rajan this answer was just an explanation based on the question; you shouldn't think too much about it. To answer your question; look at the API key, and Auth key as 2 parts of a process that helps identify a user:
- 一个公共:API 密钥
- 一个私有:身份验证密钥
每次发送请求时,都会发送公钥,以及通过组合公钥和私钥生成的字符串.服务器获取公钥,搜索有效的私钥,并尝试使用相同的公式计算该值,然后最终将其生成的内容与您生成的内容进行比较.
Every time you send a request, you send the public key, and a string generated from combining the public, and private key. The server takes the public key, searches for a valid private key, and tries to compute the value using the same formula, then finally compared what it generates, to what you generated.
如果相同,则继续处理;如果它们不同,则终止执行.
If they're the same, it continues processing; if they're different, it terminates execution.
上面的会话 id 的有效性可以是任何你想要的,通常它是长期存在的(可能持续 30 天).
The validity of the session id above can be anything you want, usually it'll be long-lived (can probably last up to 30 days).
希望这能回答您的问题吗?
Hope this answers your question?
这篇关于如何在 REST API 中使用会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!