如何在 PHP REST Web 服务中处理身份验证?
[英]How to handle authentication in PHP REST web service?
问题描述
I've read that a good way to write web services to be consumed from mobile apps is to avoid SOAP (too verbose) and to use REST.
我读到过,编写要从移动应用程序使用的 Web 服务的一个好方法是避免使用 SOAP(过于冗长)并使用 REST。 In many REST examples, I have seen it is better to avoid sessions due to the stateless nature of REST.在许多 REST 示例中,我看到由于 REST 的无状态特性,最好避免会话。 But how can I assure security when invoking my web service?但是在调用我的 Web 服务时如何保证安全性? I would like to make a "login" call than pass a session_id/token to the next web service call.我想进行“登录”调用,而不是将session_id/token传递给下一个 Web 服务调用。 How can I do it?我该怎么做?
2 个解决方案
解决方案1
4 2011-03-07 14:24:45
The cleanest way would be using HTTP authentication.最干净的方法是使用 HTTP 身份验证。 While that wouldn't go by the login+sessionid way you mentioned it would be much cleaner and more straightforward (API calls do not related on other API calls and clients do not need to expect session timeouts etc.)虽然这不会通过您提到的 login+sessionid 方式进行,但它会更清晰、更直接(API 调用与其他 API 调用无关,并且客户端不需要预期会话超时等)
解决方案2
3 2011-03-07 14:18:23
You can pass user token (and session, or any other auth data if you need it) in a json request like:您可以在 json 请求中传递用户令牌(和会话,或任何其他需要的身份验证数据),例如:
{"auth": {"session_id": "abc", "token":"123"},
"data": "your request data"
}
If you are crazy about security you can generate a new token after each user login and even have life time for tokens.如果您对安全非常着迷,您可以在每次用户登录后生成一个新令牌,甚至可以为令牌设置生命周期。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.