用于REST验证会话？ [英] Is session used to REST authentication?

问题描述

对不起，noobish问题，这是我第一次尝试实施一个REST接口（在PHP）。总之，由于HTTP协议的无状态特性，什么是为了确保最好的做法：

Sorry for the noobish question, this is the first time i try to implement a REST interface (in PHP). Anyway, because the stateless nature of HTTP protocol, what's the best practice in order to ensure that:

GET/ /user/{id}/friends

总是只有当前身份验证的用户执行的？是会话通常用作方法来限制​​REST访问？

is always and only executed by the current authenticated user? Is session usually used as a method to restrict REST access?

推荐答案

您可以使用HTTP会话，这只不过是服务器端的cookie更多。他们通常是好的，但已经有很多的会话劫持的报道最近。所以，我的回答如果你真的关心的是使用 HMAC 。这是棘手成立，但一旦它可以确保该消息确实来自经过认证的用户。

You can use HTTP sessions, which are nothing more than server-side cookies. They're usually ok, but there has been a lot of reports of session hijacking lately. So my answer if you're really concerned about this is to use HMAC. It's tricky to set up, but once it is you can be sure that the message really did come from an authenticated user.

这篇关于用于REST验证会话？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！