FB社交登录PHP-为什么人们这么难?
[英]FB social Login PHP - Why People take it as so difficult?
问题描述
I was implementing FB social login in website based on PHP. 
我在基于PHP的网站上实现FB social登录。 I checked FB website and found it easy to implement. 我检查了FB网站,发现它易于实施。 Below is the approach i have followed and i am not sure that i have any security issues here . 以下是我所遵循的方法,不确定在此是否存在任何安全问题 。
I have used Facebook JS SDK approach.
and is as follows: 如下:
var appID = 'xxxxxxxxxxxxxxx';
window.fbAsyncInit = function() {
FB.init({
appId : appID, // App ID
channelUrl : '',
status : true,
cookie : true,
xfbml : true,
});
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
// connected
FB.api('/me?fields=id,name,email,permissions', function(response) {
//alert('Good to see you, ' + response.name + '.');
});
}else{
}
});
};
function login() {
if( navigator.userAgent.match('CriOS') ){
}
else{
FB.login(function(response) {
if (response.authResponse) {
replace_login();
} else {
// cancelled
alert('User cancelled login or did not fully authorize.');
}
},{scope: 'email,public_profile,user_friends'});
}
}
function replace_login(){
FB.api('/me?fields=id,name,email', function(response) {
$.ajax({
url: "s-account",
type: 'POST',
data: response,
dataType: 'json',
beforeSend: function(){
$("#signin_fb").button('loading');
},
success: function(data) {
$("#signin_fb").button('reset');
window.location.reload();
},
error: function(){
$("#signin_fb").button('reset');
}
});
});
}
And in PHP at server side, i am storing user detail like social_id, name and email in database through ajax call and if DB operation is successful then i am setting Session Variable in my website with username and email and user is logged in successfully. 在服务器端的PHP中,我通过ajax调用将用户详细信息(如social_id, name and email在数据库中,并且如果数据库操作成功,则将在username and email设置Session Variable ,并且用户已成功登录。
For logout, i am using my own logout function to destroy Website user session and user is successfully logged out. 对于注销,我正在使用自己的注销功能销毁网站用户会话,并且用户已成功注销。
Now, where is the security risk?
1 个解决方案
解决方案1
2 已采纳 2016-05-09 05:48:13
This whole authentication process boils down to the ajax call to s-account . 这整个身份验证过程归结为对s-account的ajax调用。 You're sending name and email from FB.api() to your back end application in a POST request and as you didn't mention, I presume you're not verifying the access token with these details on the server side and you're simply making a session based on these details. 您是在POST请求中将 名称和电子邮件从FB.api()发送到您的后端应用程序,并且您没有提到,我想您没有在服务器端使用这些详细信息验证访问令牌,并且仅根据这些详细信息进行会话。
The security issue 安全问题
Now, the security issue is that you're using a client side authentication on the server side. 现在,安全性问题是您在服务器端使用了客户端身份验证。 A user can simply generate a POST request to s-account with a fake response like Facebook with any username and email address and your PHP application will authenticate the user and make a valid session without verifying if the details are coming from a legit source. 用户可以简单地生成一个POST请求以使用诸如用户名和电子邮件地址之类的虚假响应(例如Facebook)生成s-account ,您的PHP应用程序将对用户进行身份验证并进行有效会话,而无需验证详细信息是否来自合法来源。 Your authentication is completely broken at this stage because a malicious user can login with any account by generating a simple POST request to s-account with any email and username . 您的身份验证已在此阶段完全中断,因为恶意用户可以通过生成一个简单的POST请求来使用任何电子邮件和用户名 s-account使用任何s-account 登录 。
How to fix 怎么修
Facebook provides an end-point in the graph API which validates an access token and returns the details of the user associated with this access token. Facebook在图谱API中提供一个端点,该端点可验证访问令牌并返回与此访问令牌关联的用户的详细信息。 From the Docs : 从文档中 :
This endpoint returns metadata about a given access token.
The Fb.Login() will generate the access token as response.authResponse.accessToken and userId as response.authResponse.userID . Fb.Login()将生成访问令牌作为response.authResponse.accessToken和userId作为response.authResponse.userID 。 You need to send this accessToken & userID along with the other user details in your ajax call to s-account and then use the following API end-point to validate if the details are legit. 您需要在对s-account ajax调用中将此accessToken和userID以及其他用户详细信息一起发送,然后使用以下API端点来验证这些详细信息是否合法。
curl -X GET "https://graph.facebook.com/v2.6/debug_token?input_token=USER_ACCESS_TOKEN_FROM_AJAX_CALL&access_token=YOUR_APP_ACCESS_TOKEN"
If the the access token is valid, you'll get the following response with the userID for which this token was issued. 如果访问令牌有效,则您将获得以下响应,其中包含为其发出该令牌的用户ID。
{
"data": {
"app_id": "YOUR_APP_ID",
"application": "YOUR_APP_NAME",
"expires_at": 1462777200,
"is_valid": true,
"scopes": [
"email",
"manage_pages",
"pages_messaging",
"pages_messaging_phone_number",
"public_profile"
],
"user_id": "THE_USER_ID_ASSOCIATED_WITH_THE_TOKEN"
}
}
Now you can compare this userID with the userID you received in the ajax call and check if the details are legit. 现在,您可以将此userID与在ajax调用中收到的用户ID进行比较,并检查详细信息是否合法。
How to get your APP_ACCESS_TOKEN 如何获取您的APP_ACCESS_TOKEN
To debug the user access token using the debug_token API, you need to generate your APP access token on the server side using the following API end-point. 要使用debug_token API调试用户访问令牌,您需要使用以下API端点在服务器端生成APP访问令牌。
curl -X GET "https://graph.facebook.com/v2.6/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials"
This will return your app access token in response. 这将返回您的应用访问令牌作为响应。
{
"access_token": "YOUR_APP_ACCESS_TOKEN_HERE",
"token_type": "bearer"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.