简体繁体 English

PHP Slim API中的查询字符串JWT JSON Web令牌认证

[英]Query string JWT JSON Web Token Authentication in PHP Slim API

原文 2017-01-04 09:24:33 1 1 php/ api/ authentication/ jwt/ slim

This is a question about the best way of implementing JWT in a Slim PHP API - I'm looking for some guidance from senior/experienced developers as to how to proceed. 这是关于在Slim PHP API中实现JWT的最佳方法的问题-我正在寻找资深/有经验的开发人员有关如何进行操作的指导。

I currently have an open API, where users can perform get requests with query parameters such as device and date-time range to pull data. 我目前有一个开放的API，用户可以在其中使用查询参数（例如设备和日期时间范围）执行获取请求以提取数据。 I also have devices which are POSTing data, with no authentication. 我也有不进行身份验证即可发布数据的设备。 We're not in production yet, but obviously this is bad. 我们尚未投入生产，但显然这很糟糕。

To tackle this, I've been looking at implementing stateless authentication on the GET requests in the first case, specifically using JWT. 为了解决这个问题，我一直在考虑在第一种情况下对GET请求实施无状态身份验证，特别是使用JWT。 I initially thought about passing the JWT through as a query string, with options for resetting a token performed through the web front-end after a user has logged in. However, I can see this being bad for man-in-the-middle attacks and my token being exposed (if using plain http). 我最初考虑将JWT作为查询字符串传递，并提供用于在用户登录后通过Web前端重置令牌的选项。但是，我看到这对中间人攻击不利和我的令牌被暴露（如果使用纯http）。 If I was to make sure all get/post requests were performed as https requests, will this be sufficiently secure? 如果我要确保所有获取/发布请求均作为https请求执行，那么这是否足够安全？

What seems to be the more secure way would be to pass the token through the header. 似乎更安全的方法是将令牌通过标头传递。 But from what I understand about this, you'd need something like Postman to be able to send requests, which isn't really an option since my users want to access the data using their browser only. 但是据我了解，您需要像Postman这样的设备才能发送请求，这并不是真正的选择，因为我的用户只想使用他们的浏览器访问数据。

1 个解决方案

It's pointless using http, https is a must otherwise everyone in between the user and your server will see the password the responses can even be cached. 使用http是没有意义的，https是必须的，否则用户和服务器之间的每个人都将看到甚至可以缓存响应的密码。

The token can be stored in a secure cookie which the browser will automatically include with each request. 令牌可以存储在安全的cookie中，浏览器将在每个请求中自动包含该cookie。 (The Slim Middleware for JWT has this functionality built in). （用于JWT的Slim中间件具有内置的此功能）。 Check out many available libraries at https://jwt.io/ 在https://jwt.io/上查看许多可用的库

Adding the token to the query string isn't needed if you use cookies, I would not recommend adding tokens to the query string as they are to easily leaked. 如果您使用cookie，则不需要将令牌添加到查询字符串中，我不建议您将令牌添加到查询字符串中，因为它们很容易泄漏。 (Users love copy&pasting URLs to each other, this would also leak the token) （用户彼此之间喜欢复制粘贴URL，这也会泄漏令牌）

Note: If you're not sure if JWT is right for you, check out: http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/ 注意：如果不确定JWT是否适合您，请查看： http : //cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2 -为什么您的解决方案不起作用/