堆栈内存溢出
  简体   繁体   English

在 PHP 中存储用户密码以进行 RESTful API 身份验证

[英]Storing user password in PHP for RESTful API authentication

 原文  2015-06-14 11:17:59       php/ rest/ security/ authentication

问题描述

I am currently in the process of designing architecture which allows my client websites to communicate with a master RESTful API secured by Basic Authentication on another server using a cross origin header.我目前正在设计架构,该架构允许我的客户端网站使用跨源头与另一台服务器上的基本身份验证保护的主RESTful API进行通信。

When users register on one of the websites the form is posted to a PHP file that then creates a stream and posts the data over to the API on the master server (both servers are SSL secured).当用户在其中一个网站上注册时,表单会被发布到一个PHP file ,然后该PHP file会创建一个流并将数据发布到主服务器上的API (两台服务器都受 SSL 保护)。

The issue comes after this.问题出现在这之后。 With each request to the API I need to re-provide the users' username and password in order to successfully authenticate them through Basic Authentication.对于对API每个请求,我都需要重新提供用户的用户名和密码,以便通过基本身份验证成功对其进行身份验证。

How can I safely store the username and password of the user so that I can continue to provide the client website with access to the API whilst the user makes changes to their account?如何安全地存储用户的用户名和密码,以便在用户更改其帐户时继续向客户网站提供 API 访问权限?

Would it be considered secure enough to store an encrypted username and password in session variables?在会话变量中存储加密的用户名和密码是否足够安全? Users will be passing sensitive information such as a credit card number through to the master API so security is top priority.用户会将信用卡号等敏感信息传递给主API因此安全性是重中之重。

1 个解决方案

解决方案1
 1  2015-06-14 11:32:48

If you really really need to store the user name and password in the SESSION .如果你真的需要在SESSION存储用户名和密码。 Then encrypt both the username and Password with a server-side key .然后使用server-side key加密usernamePassword

This server side key will be in a file in your server BUT NOT IN THE ROOT FOLDER , outside the root folder and you can decrypt while you are sending the credentials to the API .server side key将位于您服务器中的文件中,不在根文件夹中,位于根文件夹之外,您可以在将凭据发送到API进行decrypt

So, even if your sessions are hijacked, it wont be easy to crack the credentials wothout the server side key .因此,即使您的会话被劫持,在没有server side key也不容易破解凭据。

May be you want to have a look at these links可能你想看看这些链接

Creating a secure REST API 创建安全的 REST API

SO - PHP Session SecuritySO - PHP 会话安全

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP-带有身份验证的手机的RESTful API - PHP - RESTful API for mobiles with authentication 如何在RESTful API中完成用户身份验证? - How is user authentication done in a RESTful API? 在简单的PHP RESTful API服务上进行身份验证 - Authentication on a simple PHP RESTful API service Heroku PHP pgconnect-用户密码验证失败 - Heroku PHP pgconnect - password authentication failed for user PHP用户身份验证和密码安全的最佳实践 - PHP best practices for user authentication and password security RESTful API身份验证和安全性 - RESTful API Authentication & Security RESTful API身份验证设计 - RESTful API authentication design 带有用于用户身份验证的 RESTful API 的本地存储。 这是一种安全的方法吗? - Local Storage with RESTful API for user authentication. Is this a safe method? 每次调用时都会进行宁静的Web服务API用户身份验证 - Restful web service API user authentication on every single call 使用php进行静态身份验证 - restful authentication using php
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM