[英]is it possible to restrict a token to one device ?
在.NET环境中-基于令牌的身份验证-是否可以将令牌限制为一个设备,以便某人无法复制该令牌并在另一设备上使用该访问令牌执行请求?
Short answer is yes. 简短的回答是。
1- The naive solution is, you get the User-Agent from request header as well as client ip address, concatenate them with the token and encrypt it with a SecretKey and return the whole string as a new token to the client, so every time client sends a request to server you have to decrypt the token based on the SecretKey and check the data with the coming request ip address and User-Agent. 1-天真的解决方案是,您从请求标头以及客户端IP地址获取User-Agent,将它们与令牌连接在一起,并使用SecretKey对其进行加密,然后将整个字符串作为新令牌返回给客户端,因此每次客户端向服务器发送请求,您必须根据SecretKey解密令牌,并使用即将到来的请求ip地址和User-Agent检查数据。 so in case if any one copy the token it will not match with the headers or ip. 因此,如果有人复制令牌,则令牌与标头或ip不匹配。 but if the client pass the entire header properly and has the same ip address as the original client you are hacked! 但是,如果客户端正确传递了整个标头,并且具有与原始客户端相同的IP地址,那么您就被黑了!
2- The safest solution is client certificate authentication as NightOwl888 mentioned 2-最安全的解决方案是客户端证书身份验证,如NightOwl888所述
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.