堆栈内存溢出
  简体   繁体   English

在php和node.js之间进行身份验证

[英]Authenticating between php and node.js

 原文  2014-03-30 05:38:36       php/ node.js/ security/ socket.io

问题描述

I have web application written in php and plan to add chat functionality to it. 我有用php编写的Web应用程序,并计划向其中添加聊天功能。 I decided to use node.js as this seems perfect for the job and php sorta stinks for this sort of things. 我决定使用node.js,因为这似乎很适合工作,而php sorta对于这类事情却很臭。

At some point I need to make sure that request to socket.io server is legitimate. 在某些时候,我需要确保对socket.io服务器的请求是合法的。 I need to make sure the request is from page my php generated. 我需要确保请求来自我的PHP生成的页面。 trying to keep it simple I came up with this idea. 为了简单起见,我想到了这个主意。 Ok so the client/server process would be: 好的,因此客户端/服务器进程将是:

  1. Client opens web page and php receives request. 客户端打开网页,php接收请求。 Php creates hash of some sort and contacts node http server via GET. PHP创建某种哈希并通过GET与节点http服务器联系。 This I was thinking to simply curl 127.0.0.1 and pass hash not sure if this would be as easy though with apache running already. 这是我想简单地卷曲127.0.0.1并传递哈希值,但不确定是否已经使用apache运行就这么简单。

  2. Node would receive this has and store it as property in an object so following requests from client would have access to it. 节点将收到此has并将其作为属性存储在对象中,以便在客户端发出以下请求后可以访问它。

  3. When curl comes back php renders the page and passes this hash to client. 当curl返回时,php渲染页面并将此哈希传递给客户端。

  4. Client makes request to node server on some port, passes this hash and node calls callback. 客户端在某个端口上向节点服务器发出请求,传递此哈希并调用节点回调。 Now node checks if hash is one of the properties of the object I described in step 2 现在节点检查哈希是否是我在步骤2中描述的对象的属性之一

  5. If hash os one of the properties then process request, otherwise something dodgy is happening and ignore it 如果哈希是属性之一,则处理请求,否则正在发生躲闪事件并忽略它

That is the general idea and I would like to know if this has any obvious flaws that I should consider before implementing. 这是总体思路,我想知道这是否存在任何明显的缺陷,我应该在实施之前加以考虑。 Any advice would be much appreciated. 任何建议将不胜感激。

1 个解决方案

解决方案1
 0  2014-03-30 09:02:21

  1. Standart scheme. 标准方案。 Use redis-memcached-RDMS for saving token on server side. 使用redis-memcached-RDMS在服务器端保存令牌。

    • + fast +快
    • + you should implement mechanizm of token creation in one place +您应该在一处实施令牌创建的机制
    • - all tokens may be lost in some cases -在某些情况下,所有令牌可能会丢失

  2. Signed cookies technique. 签名cookie技术。

Create token on php side. 在php端创建令牌。 Like 喜欢 

$token = some_special_hash_not_md5_not_sha1(
                 $userID . $server_side_super_safe_salt);

Send via cookies token and userID. 通过Cookie令牌和用户ID发送。

Check on node side is this token valid. 在节点侧检查此令牌是否有效。

  • + no db +没有分贝
  • - have to find function on node and php which produce identical signing -必须在节点和php上找到产生相同签名的函数
  • - you have to know a lot about crypto if you want create safe code -如果要创建安全代码,必须对加密有很多了解

For example. 例如。 If some_special_hash_not_md5_not_sha1() will be PBKDF2 some people may DDoS you with large $userID 如果some_special_hash_not_md5_not_sha1()将为PBKDF2,则 某些人可能会使用$userID大的DDoS

Tips on signed cookies instead of sessions 有关已签名Cookie而非会话的提示

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在node.js和PHP之间进行通信? - How to communicate between node.js and PHP? Node.js和PHP - Node.js and PHP 了解以下内容之间的连接:PHP + Redis + Node.js +套接字 - Understanding connection between: PHP + Redis + Node.js + Sockets php和node.js之间的pbkdf2的差异 - Differences in pbkdf2 between php and node.js node.js和PHP之间的SHA1哈希差异 - SHA1 hash differences between node.js and PHP Node.js和Apache / PHP之间共享的javascript资源 - Shared javascript resources between Node.js and Apache/PHP Android,PHP和node.js之间的加密和解密 - Encryption and Decryption between Android, PHP & node.js PHP和Node.js之间的libsodium实现差异 - libsodium implementation differences between PHP and Node.js Node.js服务器和PHP服务器的差异与理论混淆 - Confusion with theory between the differences of Node.js servers and PHP servers 通过 cookie 在 php 和 node.js 之间安全地共享数据 - Sharing data between php and node.js via cookie securely
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM