[英]I want to restrict a user to access data of other users through API
I have implemented token based authentication and authorization. 我已经实现了基于令牌的身份验证和授权。 I am storing the value of token in session. 我在会话中存储令牌的值。 How to restrict a user to access the data of other users if user gets the token. 如果用户获得令牌,如何限制用户访问其他用户的数据。 I am passing token only in header. 我仅在标头中传递令牌。 So if user is able to get the token value anyhow so he can access any API for any user. 因此,如果用户能够以任何方式获取令牌值,那么他可以为任何用户访问任何API。 I am calling apis in jQuery. 我在jQuery中调用API。
First of all, why do you save the value of the token in a session? 首先,为什么要在会话中保存令牌的值? That doesn't make sense, since your authorization becomes session dependent, not token dependent. 这没有任何意义,因为您的授权取决于会话,而不取决于令牌。 If you exchange password and username for token, don't use sessions as the token becomes redundant - you are authorizing the user through your session cookie. 如果您将密码和用户名交换为令牌,请不要使用会话,因为令牌会变得多余-您正在通过会话cookie授权用户。
Also, this is the idea of the token - to be working just for an hour (most services use this amount of time for the token life). 同样,这就是令牌的想法-仅工作一个小时(大多数服务在令牌寿命中使用此时间量)。 So if you are not implementing an OAuth authentication strategy, why use tokens in the first place? 因此,如果您未实施OAuth身份验证策略,为什么首先要使用令牌? And if you do, why use sessions? 如果这样做,为什么要使用会话? I think you are mixing different approaches here. 我认为您在这里混合使用不同的方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.