如何实现“基于令牌认证”安全地访问该网站的资源(即函数和数据)在PHPFox开发的? [英] How to implement 'Token Based Authentication' securely for accessing the website's resources(i.e. functions and data) that is developed in PHPFox?
问题描述
我要使用的方法和资源,这是在 PHPFox 开发了一个网站的code。
I want to use methods and resources from the code of a website which is developed in PHPFox.
基本上,我会收到来自 iPhone / Android的的要求,我会请求并传递从PHPFox code各自的功能,取从该函数响应,然后返回到设备。
Basically, I'll receive request from iPhone/Android, I'll get the request and pass to the respective function from the PHPFox code, take the response from that function and return it back to the device.
有关这个目的,我使用的超薄框架已经开发REST API的。
For this purpose I've developed REST APIs using Slim framework.
但我目前所面临的主要受体阻滞剂在访问资源PHPFox网站(即函数和数据)。
But the major blocker I'm facing currently is in accessing the resources(i.e. functions and data) of PHPFox website.
我不明白我应该如何使用验证用户的基于令牌认证,以访问该网站的资源。
I'm not understanding how should I authenticate the user using 'Token Based Authentication' in order to access the website's resources.
如果有人可以指导我在正确的方向有一些有用的工作的例子,这将是我真正有用的。
If someone could guide me in proper direction with some useful working example it would be really helpful for me.
N.B。 :建议实行基于令牌的认证的应该是速度非常安全,快捷。的安全,不应以任何方式受到损害。
N.B. : The proposed implementation of 'Token Based Authentication' should be very secure and fast in speed. The security should not be compromised in any way.
以下是code我想对我自己,但我不知道它是否是对还是错。是我的方法正确或错误。请人分析它,让我知道你就可以反馈。
Following is the code I tried on my own but I don't know whether it's right or wrong. Is my approach correct or wrong. Please someone analyse it and let me know your feedback on it.
要创建令牌我用这个函数,它接受作为参数,用户的数据。
To create a token i use this function which takes as parameters, the user's data
define('SECRET_KEY', "fakesecretkey");
function createToken($data)
{
/* Create a part of token using secretKey and other stuff */
$tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"]; // It can be 'stronger' of course
/* Encoding token */
$token = hash('sha256', $tokenGeneric.$data);
return array('token' => $token, 'userData' => $data);
}
这样用户就可以authentified自己和收到包含一个令牌的数组(genericPart +他的数据,连接codeD),而不是hisData EN codeD:
So a user can authentified himself and receive an array which contains a token (genericPart + his data, encoded), and hisData not encoded :
function auth($login, $password)
{
// we check user. For instance, it's ok, and we get his ID and his role.
$userID = 1;
$userRole = "admin";
// Concatenating data with TIME
$data = time()."_".$userID."-".$userRole;
$token = createToken($data);
echo json_encode($token);
}
然后,用户可以给我自己的令牌+他未带codeD数据,以检查:
Then the user can send me his token + his un-encoded data in order to check :
define('VALIDITY_TIME', 3600);
function checkToken($receivedToken, $receivedData)
{
/* Recreate the generic part of token using secretKey and other stuff */
$tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"];
// We create a token which should match
$token = hash('sha256', $tokenGeneric.$receivedData);
// We check if token is ok !
if ($receivedToken != $token)
{
echo 'wrong Token !';
return false;
}
list($tokenDate, $userData) = explode("_", $receivedData);
// here we compare tokenDate with current time using VALIDITY_TIME to check if the token is expired
// if token expired we return false
// otherwise it's ok and we return a new token
return createToken(time()."#".$userData);
}
$check = checkToken($_GET['token'], $_GET['data']);
if ($check !== false)
echo json_encode(array("secureData" => "Oo")); // And we add the new token for the next request
我说得对不对?
Am I right?
感谢。
推荐答案
1,你应该明白什么是基于令牌的认证。它可以如以下进行说明。
1st you should understand what's token based authentication. It could be explained as below.
后面的基于令牌的认证系统的一般概念是
简单。允许用户以输入自己的用户名和密码
获得凭证,以便让他们获取特定的资源 -
不使用自己的用户名和密码。一旦他们的令牌已经
获得时,用户可以提供令牌 - 它提供给一个存取
一段时间特定资源 - 到远程站点
The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site.
<一个href=\"http://www.w3.org/2001/sw/Europe/events/foaf-galway/papers/fp/token_based_authentication/\">Read详情
现在让我们来看看在你的REST Web服务实现它的步骤。
Now let's see what are the steps of implementing it in your REST web service.
它将使用的控制流程如下:
It will use the following flow of control:
- 用户提供登录表单中输入用户名和密码,并点击登录。
- 提出要求后,通过在数据库查询验证在后端用户。如果请求有效,创建一个记号
使用从数据库中取出的用户信息,然后返回
在响应头,使我们可以存储令牌信息
浏览器本地存储。 - 在应用程序访问受限制的端点提供在每个请求头令牌信息。
- 如果令牌从请求头获取的信息是有效的,让用户访问指定的终点,并与JSON或响应
XML。
请参阅下面的图像控制的流程
See the image below for the flow of control
您可能想知道什么是智威汤逊
You might be wondering what's a JWT
智威汤逊表示JSON网络令牌,并在使用的令牌格式
授权头。此标记可以帮助您设计交流
以安全的方式在两个系统之间。让我们重新表述智威汤逊的旗手
令牌本教程的目的。不记名令牌由
三个部分:头,有效载荷和签名
JWT stands for JSON Web Token and is a token format used in authorization headers. This token helps you to design communication between two systems in a secure way. Let's rephrase JWT as the "bearer token" for the purposes of this tutorial. A bearer token consists of three parts: header, payload, and signature.
- 头是保持令牌类型和加密方法,该方法也与碱-64加密的令牌的部分。
- 的有效载荷包括的信息。你可以把任何一种,如用户信息,产品信息数据等,所有这些都被存储,
基地-64加密。 - 签名由报头,有效载荷和密钥的组合。秘密密钥必须牢固地在服务器侧被保持。
你可以看到智威汤逊模式和令牌下面的例子;
您并不需要实现承载令牌生成器,你可以使用 PHP-智威汤逊。
You do not need to implement the bearer token generator as you can use php-jwt.
希望以上介绍你的困惑。如果您遇到任何问题,实施基于令牌认证让我知道。我可以帮你。
Hope the above explains your confusion. if you come across any issues implementing token based authentication let me know. I can help you.
这篇关于如何实现“基于令牌认证”安全地访问该网站的资源(即函数和数据)在PHPFox开发的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
