使用PHP为移动设备令牌认证 [英] Token authentication using PHP for mobile devices
问题描述
我正在写一个iPhone应用程序是我的网站的移动版本。
I'm writing an iPhone app to be the mobile version of my website.
我打算揭露一些REST API使应用程序可以更新用户的数据。
I intend to expose some REST API so the app can update the user's data.
我不希望用户登录每一次,但我想救他的令牌/ cookie,并重新使用它为今后所有申请。
I do not wish the user to login every time, but I want to save his token/cookie and reuse it for all future requests.
我可以设置一个随机令牌,并通过它与用户ID一起,但因为它很容易访问越狱设备上它不是很安全。使用IP我不能限制它,因为IP可能会经常发生变化(因为它是一个移动设备)。
I can setup a random token and pass it along with the user ID, but it's not very secure since it's easy to access it on a jailbroken device. I cannot restrict it using an IP, since the IP will probably change frequently (since it's a mobile device).
什么是实现这些,这将是足够安全的,但不会问他要经常验证自己骚扰用户?认证的最佳方式。
What's the best way to implement such an authentication which will be secure enough but won't annoy the user by asking him to authenticate himself often?
推荐答案
与初始登录信息到你的服务器发送UDID或MAC地址。为该用户创建/ UDID(或Mac)组合的唯一凭证,并发送回(加密)到设备,如果用户名/密码是成功的。在随后的访问时,设备将重新认证的加密令牌和UDID / MAC(通过安全连接)。
send the UDID or mac address with the initial login details to your server. create a unique token for this user/UDID (or mac) combination and send it back(encrypted) to the device if username/pass is successful. on subsequent access, the device sends the encrypted token and UDID/mac (over secure connection) for re-authentication.
如果你想要把偏执的人放心关于跟踪UDID,可以转而使用UDID / MAC盐的加密令牌,但这不会是为安全,但还是应该做的工作。
if you want to put paranoid people at ease about tracking UDID, you could instead use the UDID/mac to salt the encrypted token, but this wont be as secure, but should do the job still.
这篇关于使用PHP为移动设备令牌认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
