Rails 3 - 基本的http认证vs认证令牌与iphone [英] Rails 3 - basic http authentication vs authentication token with iphone
问题描述
最初,我使用基本的http验证,根据本指南验证使用者:
Initially I was using basic http authentication to authenticate a user with devise following this guide:
http://jessehowarth.com/2011/04/27/ajax-login-with-devise
我能够成功地验证用户,但会话仍然永久记录。没有办法销毁用户的会话。其实,当我添加了user_signed_in?方法在我的创建方法,它将总是返回true,即使通过json注销。所以我得出结论,没有办法结束使用基本http认证的会话。所有你真正能做的是检查用户是否已经登录,并发送一个状态代码作为json回客户端。
I was successfully able to authenticate a user, but the session remained logged in forever. There was no way to destroy the user's session. In fact, when I added the user_signed_in? method of devise within my create method, it would always return true even when logging out via json. So I came to conclusion that there is no way to end a session using basic http authentication. All you could really do is check if the user is already signed in and send a status code as json back to the client.
然后我尝试了身份验证令牌路由,它允许您创建一个具有身份验证令牌的会话,然后通过删除该身份验证令牌来销毁会话,并且用户必须再次登录才能访问需要身份验证的页面,如此帖中所示:
So then I tried the authentication token route, which allowed you to create a session with an authentication token and then destroy a session by deleting that authentication token, and the user would have to sign in again in order to access pages that require authentication, as shown in this post:
这样做的缺点是,你有一个非常长的字符串,你必须输入每个需要验证的页面,这似乎有点不受欢迎。我希望这里有两个最好的世界,在那里你可以像在网络浏览器中登录和退出。
The downside of this is the fact that you have this very long string that you have to enter in for each page that requires authentication, which seems a little undesirable. I wish there was a best of both worlds here, where you can log in and out like you do in a web browser.
我不知道如果我说的一切准确,但看起来符合此帖:
Im not sure if everything I am saying is accurate, but it seems in line with this post:
在那篇文章中,他说认证令牌比http基本认证更安全因为密钥可以过期。我假设他意味着,一旦你使用基本身份验证登录,然后就是它,你永远登录,而身份验证令牌,你可以过期它,并强制用户再次登录。这是正确的解释吗?
In that post, he says authentication token is "more secure than http basic authentication since the key can expire". I assume he means that once you are logged in using basic authentication, then that's it, you are logged in forever, whereas authentication token you can expire it and force the user to sign in again. Is this accurate interpretation?
感谢回应
推荐答案
HTTP认证工作,一旦浏览器登录(即发送 WWW-Authenticate 头),它将保持登录,直到其HTTP认证缓存过期(通常当您退出浏览器)。
The way that HTTP authentication works, once a browser is logged in (i.e. is sending WWW-Authenticate headers), it will stay logged in until its HTTP authentication cache is expired (usually when you exit the browser).
由于浏览器继续在HTTP身份验证中发送有效的凭据(没有HTTP注销),这就是为什么您看到用户仍然记录in。
Since browsers continue to send valid credentials in HTTP authentication (there is no "HTTP logout"), that's why you're seeing the user still logged in.
我的建议是使用Devise中的 authentication_token 功能,并传递?auth_token 到您的API。请记住,您必须将它们作为URL的一部分传递,即使它是POST / DELETE / PUT / etc。 (这是一个Devise错误,可能现在修复)。
My recommendation is to use the authentication_token functionality in Devise and pass ?auth_token to your APIs. Keep in mind that you have to pass them as part of the URL even if it is a POST/DELETE/PUT/etc. (this is a Devise bug that may be fixed by now).
这篇关于Rails 3 - 基本的http认证vs认证令牌与iphone的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
