[英]What is the Best way to create a secure REST API with Zend?
I have been looking on a lot of questions about REST API and security and found some interesting informations but there is still one thing I don't understand. 我一直在寻找有关REST API和安全性的许多问题,并发现了一些有趣的信息,但是我仍然不了解一件事。
So, I have a REST API developped with Zend Framework with basic authentication over an https channel (so if I understoud what I have read, the login/password are encrypted when they are sent). 因此,我有一个使用Zend Framework开发的REST API,它通过https通道进行了基本身份验证(因此,如果我理解所读内容,则在发送登录名/密码时会对其进行加密)。 The purpose of this API is to be called by Android/iPhones apps and will only be available to people who have a login and a password
此API的目的是由Android / iPhones应用程序调用的,并且只有具有登录名和密码的人才能使用
SO, currently, to call the API, the login and password are always sent with the call and so, I check them at every call (the result is it makes a call to the database just for authentication at each call to the API). 因此,当前,要调用API,登录名和密码始终随调用一起发送,因此,我在每次调用时都会对其进行检查(结果是,每次对API进行调用时,都会对数据库进行调用以进行身份验证)。
Is there some kind of session management (as in web developpement) to avoid that? 是否有某种会话管理(例如在Web开发中)可以避免这种情况?
Thank, 谢谢,
REST API should be stateless, but you can use request signing using some secret key you obtain after first submission of username + password. REST API应该是无状态的,但是您可以使用在第一次提交用户名+密码后获得的一些秘密密钥来使用请求签名。
In other words, do not send username and password every time, just use once, to obtain secret key. 换句话说,不要每次都发送用户名和密码,只需使用一次即可获取密钥。
You may take a look at several APIs that sign the requests, eg. 您可以看一下几个签名请求的API,例如。 some implementing OAuth.
一些实现OAuth。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.