简体繁体 English

PHP中的REST Api的身份验证令牌

[英]Auth tokens for REST Api in PHP

原文 2014-03-26 21:00:42 6 1 php/ api/ rest

I am new to PHP :). 我是PHP的新手:)。 I am creating a REST API with PHP which would be used by mobile clients(Android and IOS). 我正在用PHP创建一个REST API，移动客户端（Android和IOS）将使用它。 Currently the PHP website(yii) allows users to login with username and password(hashed and stored in DB). 目前，PHP网站（yii）允许用户使用用户名和密码（散列并存储在DB中）登录。 The way I think of implementing this is, I can have a login REST api call that authenticates the user and generates a token(some random number or sessionid) and sends a hash of that token to the client. 我想到的实现方式是，我可以进行登录REST api调用，该调用对用户进行身份验证并生成令牌（一些随机数或sessionid），并将该令牌的哈希发送给客户端。 The client then can pass that token on the http header everytime on the REST api call and the api methods will validate this on every call? 然后，客户端可以在每次REST api调用时在http标头上传递该令牌，而api方法是否会在每次调用时对此进行验证？

Now, 现在，

I want to know if there are any disadvantages of this approach? 我想知道这种方法是否有缺点？
Also are there any PHP examples of how to do this? 还有任何有关如何执行此操作的PHP示例吗？
How does this token ensure security? 该令牌如何确保安全性？ Can someone sniff this token and send it in the request and the server will still allow it? 有人可以嗅探此令牌并将其发送到请求中，服务器仍将允许它吗？ Or Assuming i expire the token with time, should the mobile again authenticate to get a new token? 还是假设我随着时间的推移使令牌过期，手机应该再次进行身份验证以获取新的令牌吗？

1 个解决方案

My answer isn't going to be the only one and I am sure you will get a lot of feedback on such a question. 我的答案将不会是唯一的答案，我相信您会在这个问题上得到很多反馈。

First the hash. 首先是哈希。 I wouldn't suggest doing it this way. 我不建议这样做。 The hash can be snitched in route by man in the middle attack etc. Generally sensitive information in the URL is a bad idea. 哈希可以在中间攻击等情况下被人窃取。通常，URL中的敏感信息是个坏主意。

Why not use a common session? 为什么不使用普通会话？ Authorize on the first call... then the session have been created on the server and the caller... this way you ensure that requests coming next is authorized. 在第一个呼叫上进行授权...然后在服务器和调用方上创建会话。这样，您可以确保下一个请求得到授权。

The user/service/server can simply refer to the session cookie created and by doing so be validated. 用户/服务/服务器可以简单地引用创建的会话cookie，并通过它进行验证。 This way is much more secure and doesn't expose sensitive information. 这种方式更加安全，并且不会泄露敏感信息。

And.. use HTTPS if possible of course... otherwise the information is also acceptable to attacks. 并且..如果可能的话，请使用HTTPS ...否则信息也可能受到攻击。 It all depends on what level you want security. 这完全取决于您想要的安全级别。 You can stack layers of security... but that might not make sense if your sending information about cats over the line :) 您可以堆叠安全层...但是，如果您通过网络发送有关猫的信息，那可能就没有意义了：)