处理连接到Web服务的本机应用程序的登录功能 [英] Handling login functionality for native app connecting to web service
问题描述
我现在有一个半工作的应用程序,但我几乎是积极的,我可以做得更好,更安全。这是我在做什么:
1)使用mysql设置一个具有用户数据库(用户名和密码列等表)的本地服务器。写了一个简单的Web服务,它接收POST数据,并查询数据库以检查用户名是否存在...如果是这样,密码是相等的。使用sha1哈希。相应地回应真或假。
2)我的应用有一个初始登录屏幕,其中有2个文本域(1个用于用户名,1个用于密码)和一个调用登录方法的按钮。我的登录方法执行以下操作:
- init a * NSURL与一个字符串(我的Web服务的URL:@http:// webservice.com/login.php)
- init a * ASIFormDataRequst与该URL
- 设置邮件的密码和电子邮件文本在文本字段
- 将代理设置为
- 根据请求调用startAsycronous
- 实现了requestFininshed方法取决于响应,从webservice
- 检索true或falseechoed,前进到下一个视图,否则,发出警告告诉用户重试
所以,我的问题是:
1)这是安全的发送密码? (通过ASIHTTPRequest和POST方法?)
2)在后续的视图中,用户应该能够与他们的帐户进行交互(例如在Facebook上发布消息和状态和图片)如何保持用户的登录状态状态,以便每次用户与数据库进行交互时,我可以确保用户仍然登录,并且它是一样的用户?例如,我可以想到这样做的唯一方法是如果我用用户名和密码在用户设备上存储一个cookie,然后每个连续的与Web服务/数据库的交互,都会使用cookie值(username和密码)。
必须做一个更好的方法吗?也许会议或cookies?或者使用钥匙扣?
感谢您的帮助,对于长期的问题感到抱歉!
这是基于我所知道的想法:
1)发送密码是否安全? (通过ASIHTTPRequest和POST方法?)
您需要确保您通过https(SSL)发送此信息,而不是平原断点续传。原因是您无法控制用户无线接入点的位置。对于所有你知道的,用户可以连接到属于特定黑客的打开接入点。发送它将使他能够嗅探数据包并获取所需的信息来访问WebService,即使密码是散列的。通过https发送,将确保数据包使用强密钥进行加密。即使一个黑客设法嗅探数据包,在他/她能够解密该消息之前,需要很长时间。
2)在接下来的观点中,用户应该能够与他们的帐户进行交互(例如在Facebook上发布消息,状态和图片)如何保持用户的登录状态,以便每次用户与数据库,我可以确保用户仍然登录
,它是一样的用户?
一个常用的方法这样做是在用户登录后获取会话令牌。也就是说,您创建一个随机生成的ID,您在登录成功后返回。然后,您将将该令牌映射到后端中的用户标识,并将其与会话超时相关联。您每次用户连接到Web服务并在一段时间后重新刷新这一次,以避免安全漏洞。然后,您将在设备中保存会话令牌,然后将其用于后续调用。只要会话存活,用户就会登录。由于令牌与特定用户相关联,您还可以确保呼叫者的身份。
为了防止某人否则使用其他人的令牌就是您需要SSL来保护渠道并防止嗅探的原因。假设您已经保护了您的连接渠道,获取令牌的唯一方法是
- 通过登录验证身份
- 手机被黑客窃取,黑客可以通过检查本地存储来取得令牌。
映射是必要的,因此您可以验证该令牌是一个通过登录活动与用户关联的真实令牌。此外,对于数字2,您可以提供基本上杀死映射并使该令牌无效的远程擦除功能。
该令牌的另一个非常重要的部分是令牌不能可以猜测并且必须是随机加密的(请参阅安全性随机建议)。如果令牌仅基于伪随机性,聪明的黑客可能能够猜测其算法,并可以猜测其下一个/前一个令牌,并且有可能在表中获取任何有效的令牌。
有许多算法来生成这个令牌。例如,Java编程语言提供了一个 SecureRandom 类以便提供加密随机性,并且.NET具有类似的安全性 RandomGenerator 类。
如果您想查看算法,OATH已经提出了基于时间的一次性密码算法(TOTP),它是 HOTP 的。大多数语言/平台将具有加密强大的随机生成器,您可以立即使用它,而无需自己编写它。
根据您的服务实施/平台,您可能需要向SO请求一个合适的类/模块用于密码随机生成器,例如这里提到的一个如何使用php生成加密安全随机数
After extensive research, I have not been able to find a clear answer to my question. Firstly, can anyone tell me the basic logic of handling "login functionality" for a native iphone app connecting to a web service? For instance, the facebook app ask for a username and password immediately after launch, and from there you have full access to your account in all successive views of the app. Each time you post something etc, you do not have to re-login... Can someone please explain this process to me? Is it done through cookies or sessions? is Keychain involved?
I have a semi-working app right now but I'm almost positive I could be doing it better and more securely. Here is what I'm doing:
1) Set up a local server with a database of users (username and password columns and other tables etc.) using mysql. Wrote a simple web-service that takes in POST data and queries the database to check that the username exists... and if it does, that the passwords are equal. Using sha1 hashing. Echo true or false accordingly.
2) My app has an initial login screen with a 2 textfields (1 for username and 1 for password) and a button that calls the login method. My login method does the following:
- init an *NSURL with a string (the url of my web service: @"http://webservice.com/login.php")
- init an *ASIFormDataRequst with that url
- set the post value with the password and email text in the text fields
- set the delegate to itself
- call startAsycronous on the request
- implemented the requestFininshed method to retrieve the "true" or "false" echo-ed from the webservice
- depending on the response, move forward to the next view, else, make an alert telling the user to retry
So, my questions are:
1) Is this secure for sending passwords? (via ASIHTTPRequest and the POST method?) 2) In the succeeding views, the user should be able to interact with their account (like posting messages and status's and pictures on the Facebook) How do I persist the user's logged in status so that every time the user interacts with the database, I can ensure that the user is still logged in and that it's the same user? For instance, the only way I can think of doing this is if I store a cookie on the users device with the username and password, and then every successive interaction with the web service / database, it does an authentication with the cookie values (username and password).
There has got to be a better way of doing this? Maybe sessions or cookies? or by using keychain??
Thanks for the help guys, and sorry for the long question!
Here are my thoughts based on what I know:
1) Is this secure for sending passwords? (via ASIHTTPRequest and the POST method?)
You need to make sure you are sending this information via https (SSL) and not a plain Http. The reason is, you don't have control over where the user wireless access point is. For all you know, the user could connect to open access point that is belong to a particular hacker. Having it transmitted will enable him to sniff the packet and get the required information to access the WebService even though the password is hashed. Having it send via https would ensure that the packet is encrypted with strong key. Even if a hacker manage to sniff the packet out, it will take him a long time before he/she is able to decrypt the message.
2) In the succeeding views, the user should be able to interact with their account (like posting > messages and status's and pictures on the Facebook) How do I persist the user's logged in status > so that every time the user interacts with the database, I can ensure that the user is still logged in and that it's the same user?
One commonly employed method to do this is to get the session token after the user logged in. That is, you create a random generated ID that you return upon successful login. You would then map this token with the user id in the backend and it is associated with a session time out. You refresh this time out every time the user connects to a webservice and time it out after certain period to avoid breach of security. You would then persist the session token in your device and then used that for subsequent call. As long the session is alive then the user is logged in. As the token is associated with a specific user, you also ensure the identity of the caller.
To prevent someone else using other people token is the reason why you need SSL to secure the channel and prevent sniffing. Assuming that you have secured your connection channels, the only way to get the token is
- to verify the identity via login
- The phone is stolen by hackers who could take the token by inspecting the local storage.
The mapping is necessary so you could validate the token is a real token that has been associated with the user via login activity. Furthermore,for number 2, you can offer remote wipe out feature that basically kills the mapping and making that token invalid.
Another very important part of this token is the token cannot be guessable and have to be random cryptographically (see Randomness Recommendations for Security). If the token is only based on pseudo randomness, a clever hacker might be able to guess its algorithm and can guess its next/previous token and has a possibility of obtaining any valid token in the table.
There are many algorithm to generate this token. For example, Java Programming Language provides a SecureRandom class in order to provide cryptographically randomness and .NET has similar secure RandomGenerator class.
If you want to look at the algorithm OATH has proposed Time-Based One-Time Password Algorithm (TOTP) which is an extension of HOTP. Most of the languages/platforms would have the cryptographically strong random generator that you could leverage immediately though without you having to write it yourself.
Depending on your service implementation/platform, you might want to ask SO for a suitable class/module for cryptographically random generator such as the one asked here "How do you generate cryptographically secure random numbers with php"
这篇关于处理连接到Web服务的本机应用程序的登录功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
