Rails 3 - 基本的 http 身份验证与使用 iphone 的身份验证令牌 [英] Rails 3 - basic http authentication vs authentication token with iphone
问题描述
最初我使用基本的 http 身份验证来验证用户,并遵循本指南:
Initially I was using basic http authentication to authenticate a user with devise following this guide:
http://jessehowarth.com/2011/04/27/ajax-login-with-devise
我能够成功验证用户身份,但会话始终保持登录状态.没有办法破坏用户的会话.其实我什么时候加了user_signed_in的?在我的 create 方法中设计的方法,即使通过 json 注销,它也会始终返回 true.所以我得出的结论是,无法使用基本的 http 身份验证来结束会话.您真正能做的就是检查用户是否已经登录并将状态代码作为 json 发送回客户端.
I was successfully able to authenticate a user, but the session remained logged in forever. There was no way to destroy the user's session. In fact, when I added the user_signed_in? method of devise within my create method, it would always return true even when logging out via json. So I came to conclusion that there is no way to end a session using basic http authentication. All you could really do is check if the user is already signed in and send a status code as json back to the client.
然后我尝试了身份验证令牌路由,它允许您使用身份验证令牌创建会话,然后通过删除该身份验证令牌来销毁会话,并且用户必须再次登录才能访问需要的页面身份验证,如这篇文章所示:
So then I tried the authentication token route, which allowed you to create a session with an authentication token and then destroy a session by deleting that authentication token, and the user would have to sign in again in order to access pages that require authentication, as shown in this post:
这样做的缺点是您必须为每个需要身份验证的页面输入这个非常长的字符串,这似乎有点不受欢迎.我希望这里能两全其美,您可以像在网络浏览器中一样登录和退出.
The downside of this is the fact that you have this very long string that you have to enter in for each page that requires authentication, which seems a little undesirable. I wish there was a best of both worlds here, where you can log in and out like you do in a web browser.
我不确定我说的是否准确,但似乎与这篇文章一致:
Im not sure if everything I am saying is accurate, but it seems in line with this post:
在那篇文章中,他说身份验证令牌比 http 基本身份验证更安全,因为密钥可能会过期".我假设他的意思是,一旦您使用基本身份验证登录,就这样,您将永远登录,而身份验证令牌可以使其过期并强制用户再次登录.这是准确的解释吗?
In that post, he says authentication token is "more secure than http basic authentication since the key can expire". I assume he means that once you are logged in using basic authentication, then that's it, you are logged in forever, whereas authentication token you can expire it and force the user to sign in again. Is this accurate interpretation?
感谢回复
推荐答案
HTTP 身份验证的工作方式,一旦浏览器登录(即发送 WWW-Authenticate 标头),它将停留登录,直到其 HTTP 身份验证缓存过期(通常在您退出浏览器时).
The way that HTTP authentication works, once a browser is logged in (i.e. is sending WWW-Authenticate headers), it will stay logged in until its HTTP authentication cache is expired (usually when you exit the browser).
由于浏览器在 HTTP 身份验证中继续发送有效凭据(没有HTTP 注销"),这就是您看到用户仍在登录的原因.
Since browsers continue to send valid credentials in HTTP authentication (there is no "HTTP logout"), that's why you're seeing the user still logged in.
我的建议是使用 Devise 中的 authentication_token 功能并将 ?auth_token 传递给您的 API.请记住,即使它是 POST/DELETE/PUT/等,您也必须将它们作为 URL 的一部分传递.(这是一个 Devise 错误,现在可能已修复).
My recommendation is to use the authentication_token functionality in Devise and pass ?auth_token to your APIs. Keep in mind that you have to pass them as part of the URL even if it is a POST/DELETE/PUT/etc. (this is a Devise bug that may be fixed by now).
这篇关于Rails 3 - 基本的 http 身份验证与使用 iphone 的身份验证令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
