如何实现基于令牌的身份验证?
[英]How to implement a token based authentication?
问题描述
I have to implement a token based authentication. 
我必须实现基于令牌的身份验证。
Users have a username and a password. 用户具有用户名和密码。 I use the SHA512 method to encrypt the password before inserting it into the database. 在将密码插入数据库之前,我使用SHA512方法对密码进行加密。 For retrieving data from the server, making queries and other simple actions, I need to know who is asking for the data and if this person is authenticated. 为了从服务器检索数据,进行查询和其他简单操作,我需要知道谁在索要数据以及此人是否已通过身份验证。 I want to use a token. 我想使用令牌。 During the registration the server creates a token for the user and saves it in the Person table into the database, with username and encrypted password. 在注册过程中,服务器为用户创建一个令牌,并使用用户名和加密的密码将其保存在“人”表中。 Now, when a user wants to get some data from the server, he can use the token. 现在,当用户想要从服务器获取一些数据时,他可以使用令牌。
Is there a way in which the server can understand who the user is using token, or do I need to pass the username too? 服务器是否可以通过某种方式了解用户正在使用令牌的用户,还是我也需要传递用户名? How can I know when the token expires without adding a field in the Person table? 我如何知道令牌何时过期而不在“个人”表中添加字段?
I'm not sure I have understand the proper use of a token, and I have no idea on how implement it. 我不确定我是否了解令牌的正确使用方式,也不知道如何实现它。 I use php for implementing communications between the server/database and an Android application. 我使用php来实现服务器/数据库与Android应用程序之间的通信。
1 个解决方案
解决方案1
0 2015-04-22 14:10:15
As you said, it's better to provide username and token each time you send request to the backend. 如您所说,每次向后端发送请求时,最好提供用户名和令牌。 So you can know if the token is expired or not. 这样您就可以知道令牌是否过期。 Also this let your service/backend support HTTP Basic authentication which requires a caller to set a specific header contains username:password encoded using base64. 另外,这还使您的服务/后端支持HTTP Basic身份验证,该身份验证要求调用者设置特定的标头,该标头包含使用base64编码的username:password。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.