堆栈内存溢出
  简体   繁体   English

如何使用一种安全的方法API验证用户信息?

[英]How to validate user information with API, a secure method?

 原文  2016-06-21 19:01:51       php/ json/ api/ security

问题描述

I was wondering if anyone would know how to validate a username and a password with an API, i'm pretty sure it would be stupid and unsecure to use 我想知道是否有人会知道如何使用API​​验证用户名和密码,我敢肯定使用起来会很愚蠢而且不安全

http://api.example.com/profile?uname=name&pass=the-password http://api.example.com/profile?uname=name&pass=密码

I hope that anyone would know how to do this in a secure way? 我希望任何人都知道如何安全地执行此操作?

Thanks! 谢谢!

1 个解决方案

解决方案1
 2 已采纳  2016-06-21 19:06:38

Using a secure connection, and submitting the Username and Password inside the headers is the best way to accomplish this. 使用安全连接并在标题内提交用户名和密码是完成此操作的最佳方法。

HTTPS ensures that a person cannot simply dissect the packets in-transit. HTTPS确保人员不能简单地剖析传输中的数据包。 Of course, even in HTTPS, there are many security concerns to throwing sensitive data in the URL (see here: Are https URLs encrypted? ). 当然,即使在HTTPS中,在URL中抛出敏感数据也存在许多安全问题(请参阅此处: https URL是否已加密? )。 That's why we use the headers . 这就是为什么我们使用headers的原因。

See here for sending headers via cURL: 请参阅此处以通过cURL发送标头:

How to send a header using a HTTP request through a curl call? 如何通过curl调用使用HTTP请求发送标头?

Once you're sending the proper headers, the API will (of course) need to authorize based on these header values. 发送正确的标头后,(当然)API将需要根据这些标头值进行授权。

The most common way to accomplish this, is to make one endpoint that will authorize with your username and password, then send you an authorization token. 实现此目的的最常见方法是,创建一个将使用您的用户名和密码进行授权的端点,然后向您发送一个授权令牌。 Then, once that token is received, you simply include the token in each request. 然后,一旦收到该令牌,您只需在每个请求中包含该令牌 I've seen the token used both ways; 我已经看到令牌同时使用了两种方式。 via headers and via the url. 通过标题和网址。 The great thing is, with time-limited access tokens, you can use tokens inside the URL itself. 很棒的事情是,通过限时访问令牌,您可以在URL本身内部使用令牌。 However, I'm an eternal pessimist and would advise one to still carry the token in the header instead of the URL. 但是,我是一位永恒的悲观主义者,建议您仍然在标头中而不是URL中携带令牌。

At that point, though, the choice is yours (unless you don't control the API). 不过,到那时,选择就是您自己的选择(除非您不控制API)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我用于验证用户登录身份的方法的安全性如何? - How secure is my method for authenticating that a user is logged in? Azure AD是否提供API方法来以编程方式验证用户? - Does Azure AD provide an API method to validate a user programmatically? 如何使用Facebook PHP API获取用户信息 - How to get user information with Facebook PHP API 获取用户信息的最有效/最安全的方法 - Most efficient/secure way to get user information 如何使用get方法以安全的方式发送用户ID - how to send user id in secure way using get method 这种验证/登录用户的方法是否安全? - Is this method of authenticating/logging in a user secure? 如何(国际)验证电子邮件以安全地保存在数据库中 - How to validate email (internationally) for secure saving in database 如何保护敏感信息的PHP文件? - How to secure sensitive information PHP file? 如何存储数据库连接信息是安全的? - How to store db connect information is secure? 在Symfony中为用户提供安全页面的最佳方法? - The best method for secure page for user in Symfony?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM