如何知道我的帖子请求来自PHP服务器中的phonegap / cordova应用程序
[英]How to know my post request came from my phonegap/cordova app in a PHP server
问题描述
Let's say I have a Phonegap / cordova app and I want to make requests to my server with POSTs and GETs throught AJAX. 
假设我有一个Phonegap / cordova应用程序,我想通过AJAX通过POST和GET向我的服务器发出请求。
How can I secure my php file to do only if the post come from my app. 如果帖子来自我的应用程序,我怎样才能保护我的php文件。 EG 例如
if($_POST["key"]==$secret_key_got_from_server) {
// Do the things
}
I wanted to create a secure unique key with openssl, but if I hardcode it in the code to send it throught AJAX, anyone could just decompile my source code and get the key and do whatever he wants. 我想用openssl创建一个安全的唯一密钥,但是如果我在代码中对它进行硬编码以通过AJAX发送它,任何人都可以反编译我的源代码并获取密钥并做任何他想做的事情。
How could I make sure my post come from my phonegap app, or how can I securily code that key/token ? 我怎么能确保我的帖子来自我的phonegap应用程序,或者我如何安全地编码该密钥/令牌?
I'm not quite sure if this question should be here or in security SE. 我不太确定这个问题是在这里还是在安全SE中。
2 个解决方案
解决方案1
5 已采纳 2017-12-28 19:38:28
How could I make sure my post come from my phonegap app, or how can I securily code that key/token ?
You can't . 你不能 。 Full stop. 完全停止。 Reverse engineering exists in the world, and that genie has been out of the bottle for at least 40 years. 世界上存在逆向工程,而且这种精灵已经被淘汰了至少40年。
Ask yourself, "Why is it necessary to ensure that the data can only come from my app?" 问问自己,“为什么有必要确保数据只能来自我的应用程序?” You're very likely trying to solve the wrong problem. 你很可能试图解决错误的问题。
解决方案2
-2 2016-08-16 19:46:34
To check whether the origin of the given POST message is legitimate user or not, you should consider the authentication of the message. 要检查给定POST消息的来源是否是合法用户,您应该考虑对消息进行身份验证 。 There can be various ways to achieve the authentication, but common way is to use token that is issued when sign up or login process. 可以有多种方式来实现身份验证,但常见的方法是使用在注册或登录过程中发出的令牌 。 If the post message contains valid token, we can regard that the message is sent from valid user and otherwise is not a valid request. 如果发布消息包含有效令牌,我们可以认为该消息是从有效用户发送的,否则不是有效请求。 Recently JWT is widely used for web application. 最近, JWT被广泛用于Web应用程序。 These sites may be helpful: JWT.io , JWT - Wikipedia 这些网站可能会有所帮助: JWT.io , JWT - Wikipedia
In this case, if attackers can capture and modify your POST message, then the your scheme fails. 在这种情况下,如果攻击者可以捕获并修改您的POST消息,那么您的方案将失败。 To prevent this attack scenario, you need to encrypt your message. 要防止此攻击情形,您需要加密邮件。 As you say, if you hardcode the secret key on the client side app, attackers can know the key by analyzing the client side app. 正如您所说,如果您在客户端应用程序上对密钥进行硬编码,攻击者可以通过分析客户端应用程序来了解密钥。 So the better way is to encrypt the message by using the public key of the server . 因此,更好的方法是使用服务器的公钥加密消息。 Public key is only for the encryption and it is computationally impossible to decrypt message using the public key. 公钥仅用于加密,并且在计算上不可能使用公钥解密消息。 Decryption is done by private key which should be securely stored in the server. 解密由私钥完成,私钥应安全地存储在服务器中。
These public key and private key based encryption methods are called public key cryptosystem (PKC). 这些基于公钥和私钥的加密方法称为公钥密码系统(PKC)。 For instance, RSA and ECC are most well-known public key crypyosystem. 例如,RSA和ECC是最着名的公钥密码系统。
For the web application, HTTPS protocol is provided. 对于Web应用程序,提供HTTPS协议。 You can encrypt your POST message using HTTPS. 您可以使用HTTPS加密POST消息。
Note that Encryption itself doesn't provide integrity and authentication. 请注意, 加密本身不提供完整性和身份验证。 Encryption just hide the message, but not guarantee that the message is sent from the valid user. 加密只是隐藏消息,但不保证消息是从有效用户发送的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.