Google+登录-具有一次性代码的安全性
[英]Google+ Sign In - Security with one-time code
问题描述
I am about to make an application and just want to make sure if this flow is good just incase there is a security issue. 
我将要制作一个应用程序,只是想确保此流程是否良好,以防万一出现安全问题。
- Client = Android 客户端= Android
- Server = PHP 服务器= PHP
I am going to use the One-Time code flow to authenticate the client and the server. 我将使用一次性代码流来认证客户端和服务器。
First question, is there any issue sending this one time code over HTTP and not using HTTPS??? 第一个问题,是否存在通过HTTP而不使用HTTPS发送此一次性代码的问题???
Once this is done, I will use the User Id supplied from Google+ to identify the user. 完成此操作后,我将使用Google+提供的用户ID来识别用户。 This User ID from Google will be stored on my Database so I will be able to track the user. 这个来自Google的用户ID将存储在我的数据库中,这样我就可以跟踪用户了。
As Android anyone can decompile the code they will be able to see how I am sending the request to my server. 作为Android,任何人都可以反编译代码,他们将能够看到我如何将请求发送到服务器。 I will be sending a post request to a particular PHP page and in return the PHP page will return a JSON. 我将向特定的PHP页面发送发布请求,并且作为回报,PHP页面将返回JSON。 In the PHP page I will need to run the code below to make sure the session is set up before passing the JSON back to my Android application? 在PHP页面中,我将需要运行以下代码以确保在将JSON传递回我的Android应用程序之前已建立会话?
if ($request->get('state') != ($app['session']->get('state'))) {
return new Response('Invalid state parameter', 401);
}
Will this have any security implication? 这会带来安全隐患吗? If there is a topic out there that answer this please point me to it as I could not find anything. 如果那里有一个可以回答这个问题的话题,请指向我,因为我找不到任何东西。
2 个解决方案
解决方案1
1 已采纳 2014-01-03 12:31:39
First answer - yes, there are a lot of risks sending it via HTTP instead of HTTPS. 第一个答案-是的,通过HTTP而不是HTTPS发送它存在很多风险。 Although the code has a very limited lifetime, it still means that if someone wanted to intercept and use the code, they can easily do so before your server gets a hold of it. 尽管代码的生命周期非常有限,但这仍然意味着,如果有人想截取并使用该代码,则他们可以在您的服务器将其保留之前很容易地做到这一点。 You might be able to get away with a self-signed certificate for what you're doing, but you really shouldn't be using HTTP in production. 您可能可以使用自己签名的证书来完成您的工作,但实际上您不应该在生产中使用HTTP。
The session management has a couple of possible implications, tho I'm not sure either are directly related to the Google+ sign-in. 会话管理可能会带来一些影响,但我不确定这两者都与Google+登录直接相关。 While this check does help ensure that the connection is from a legitimate session, rather than one that might have been run as part of an exploit. 尽管此检查确实有助于确保连接来自合法会话,而不是来自漏洞利用程序的一部分。 It isn't clear how you're doing session management, or what other activities might happen if this error comes across, but it might also be a good way that you're limiting resources used in case of a DoS attack. 尚不清楚您如何进行会话管理,或者如果遇到此错误,可能还会发生其他活动,但是这也可能是限制DoS攻击时使用的资源的一种好方法。
解决方案2
0 2014-01-03 06:06:23
请勿通过HTTP将一次性代码移至服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.