简体繁体 English

执行Facebook身份验证：客户端和服务器端

[英]Enforcing Facebook Authentication: Client-side and server-side

原文 2010-08-04 13:06:37 5 2 javascript/ flash/ security/ authentication/ facebook

I'm building a social media app in Flash (AS3) that is tightly integrated with Facebook--all user accounts are handled via Facebook connect, and all Facebook connectivity is handled via a combination of the Javascript and AS3 Facebook APIs. 我正在Flash（AS3）中构建一个与Facebook紧密集成的社交媒体应用程序 - 所有用户帐户都通过Facebook连接处理，所有Facebook连接都通过Javascript和AS3 Facebook API的组合来处理。 I'm using Codeigniter on the backend for server-side data management, which includes tracking user actions and data on the site through URLRequests from Flash. 我在后端使用Codeigniter进行服务器端数据管理，包括通过Flash中的URLRequests跟踪网站上的用户操作和数据。

My problem is that I don't know how to prevent spoofing of the server requests that are made from Flash; 我的问题是我不知道如何防止欺骗从Flash发出的服务器请求; in theory, malicious users could track the calls that Flash is making to my server and reproduce them in a way that (for example) inserts garbage data and associates it with a given Facebook user ID in my database. 理论上，恶意用户可以跟踪Flash对我的服务器进行的调用，并以（例如）插入垃圾数据并将其与我的数据库中给定的Facebook用户ID相关联的方式重现它们。 All authentication is taking place on the client side (via the Facebook JS API) with no intervention by the server, so I'm having a hard time figuring out exactly how to secure calls between Flash and the server in a manner that ensures that users have to be authenticated with Facebook in order to make them. 所有身份验证都在客户端进行（通过Facebook JS API），服务器没有干预，所以我很难确定如何以确保用户的方式确保Flash和服务器之间的呼叫安全必须通过Facebook进行身份验证才能生成它们。

One possibility I considered is using an encryption scheme known by the client and server to pass Facebook UIDs back and forth, which would certainly be better than passing them in the clear. 我考虑的一种可能性是使用客户端和服务器已知的加密方案来回传递Facebook UID，这肯定比明确传递它们更好。 However, it would only take one enterprising hacker with enough time/patience to break the scheme (or decompile the swf) to screw everything up. 然而，只有一个有进取心的黑客有足够的时间/耐心才能打破计划（或反编译swf）以搞砸一切。

Anyway, I may be overthinking this, but it seems like an important point and I'm really not sure of the best approach. 无论如何，我可能会过度思考这一点，但这似乎是一个重点，我真的不确定最好的方法。 Any feedback would be greatly appreciated! 任何反馈将不胜感激！

2 个解决方案

I just spent a ton of time trying to figure this one out! 我花了很多时间试图弄清楚这个！ I know this is an old question, but hopefully it will be useful to you still or at least someone else. 我知道这是一个老问题，但希望它对你或者至少其他人都有用。

The basic problem is just like you said. 基本问题就像你说的那样。 If you are doing client-side authentication, but you want to do some user-specific server side operations, you need to security authenticate the user on your system as well. 如果您正在进行客户端身份验证，但是您希望执行某些特定于用户的服务器端操作，则还需要对系统上的用户进行安全身份验证。 Ideally, you would want to avoid having them log on again with a password and such because that would be a horrible user experience. 理想情况下，您可能希望避免让他们再次使用密码登录，因为这将是一个糟糕的用户体验。 So one might be tempted to just send over the UID and log them on that way. 因此，人们可能会想要发送UID并以这种方式记录它们。 Unfortunately, there's an obvious security risk to this. 不幸的是，这有明显的安全风险。 As you point out, anyone can pass the UID which is generally public knowledge and log on as someone they are not. 正如您所指出的，任何人都可以传递通常是公共知识的UID，并以他们不是的人身份登录。

The solution to this problem is to use information stored in a cookie that the facebook api drops after a user successfully logs on. 此问题的解决方案是使用存储在cookie中的信息，在用户成功登录后facebook api会丢弃该信息。 The information in the cookie contains the user information in it as well as a unique signature data. cookie中的信息包含其中的用户信息以及唯一的签名数据。 If the server grabs the contents of the cookie, and you process it correctly, out should pop a secret code. 如果服务器抓取cookie的内容，并且您正确处理它，则应该弹出一个密码。 This secret code should match, exactly, your application secret code which only you and facebook know. 这个密码应该与您和Facebook知道的应用程序密码完全匹配。 If it does, then you know the cookie (and thus the user) is legit. 如果确实如此，那么你就知道cookie（因此用户）是合法的。 If it is not the same, then you know someone is trying something funny. 如果它不相同，那么你就知道有人正在尝试一些有趣的事情。

For more information, you might consider checking out these pages: PHP - https://developers.facebook.com/docs/guides/web/#personalization Ruby - http://vombat.tumblr.com/post/835536630/ruby-version-of-facebooks-get-facebook-cookie-in-php 有关更多信息，您可以考虑查看这些页面：PHP - https://developers.facebook.com/docs/guides/web/#personalization Ruby - http://vombat.tumblr.com/post/835536630/ruby-版本的-Facebook的-获得Facebook的cookie的功能于PHP

I should also note that similar approaches for both LinkedIn and Twitter exist. 我还应该注意到LinkedIn和Twitter都存在类似的方法。

This is a legitimate concern because you are in violation of CWE-603: Use of Client-Side Authentication . 这是一个合理的问题，因为您违反了CWE-603：使用客户端身份验证。 Encryption cannot help this station because a malicious client will be able to obtain any secret. 加密无法帮助这个站，因为恶意客户端将能够获得任何秘密。

The best approach for verifying a client is to have the flash app send information about the session back to the server. 验证客户端的最佳方法是让Flash应用程序将有关会话的信息发送回服务器。 The server then has to connect back to facebook using something like the php api such that the server can verify that the client has a valid session with facebook. 然后服务器必须使用类似php api的东西连接回Facebook，这样服务器就可以验证客户端是否与facebook有效会话。 This should be done once per login, and then you can issue a session id (cookie) to the flash app to access your data store for that user. 这应该在每次登录时完成一次，然后您可以向Flash应用程序发出会话ID（cookie）以访问该用户的数据存储。