堆栈内存溢出
  简体   繁体   English

安全实施 Javascript SDK Facebook 身份验证

[英]Securely implementing the Javascript SDK for Facebook Authentication

 原文  2012-08-16 23:36:36       javascript/ facebook/ facebook-graph-api

问题描述

I'm currently trying to implement Facebook Authentication into my website, but I'm seeing many major security holes.我目前正在尝试在我的网站中实施 Facebook 身份验证,但我看到了许多主要的安全漏洞。 The only way I can communicate with the server about the user who just authenticated my app is by using some kind of POST or GET request to another page, which matches the facebook ID with a database filled with users facebook IDs and site user ids.我可以与服务器就刚刚验证我的应用程序的用户进行通信的唯一方法是对另一个页面使用某种 POST 或 GET 请求,该页面将 facebook ID 与填充有用户 facebook ID 和站点用户 ID 的数据库相匹配。 An attacker can just obtain the faceboom ID of a user, and send an artificial request to the server, getting them access to the account.攻击者只需获取用户的 faceboom ID,然后向服务器发送人为请求,让他们访问该帐户。 What is a more secure way of implementing the Facebook Authentication Javascript SDK with server-side communication.使用服务器端通信实现 Facebook 身份验证 Javascript SDK 的更安全方法是什么。

2 个解决方案

解决方案1
 0  2012-08-17 00:39:49

I think this question is best repeated as: How can I best secure my login system when only sending a facebook id to log someone in? 我认为最好重复此问题,因为:仅发送Facebook ID来登录某人时,如何才能最好地保护我的登录系统? Is that correct? 那是对的吗?

I think the problem is just the same as normal log in. You need 2 fields at least to properly confirm a user's identity. 我认为问题与普通登录​​相同。您至少需要2个字段才能正确确认用户的身份。 Why not select their email, their id, and I believe their access token. 为什么不选择他们的电子邮件,他们的ID和我相信他们的访问令牌。 This access token should be passed straight from facebook. 此访问令牌应直接从Facebook传递。 You can then use this token server side and ask facebook if the token is valid. 然后,您可以使用此令牌服务器端并询问Facebook令牌是否有效。

Check this out: https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/ 看看这个: https : //developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/

Also: How to extend access token validity since offline_access deprecation 另外: 自从offline_access弃用以来,如何扩展访问令牌的有效性

解决方案2
 0  2022-03-21 04:09:23

When the user authenticates on your server, you are also given the access_token of the user as well as their id .当用户在您的服务器上进行身份验证时,您还会获得用户的access_token以及他们的id You can then pass the access_token to your server and do a request to Facebook using the access_token to make sure it is valid.然后,您可以将access_token传递给您的服务器,并使用access_token向 Facebook 发出请求以确保其有效。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在PHP身份验证流程中实现JavaScript SDK进行身份验证 - Implementing a JavaScript SDK for authentication within a PHP authentication flow 安全地将数据从 Facebook JavaScript SDK 方法 FB.login 传输到我的服务器端代码 - Securely transfer data from Facebook JavaScript SDK method FB.login to my server-side code 如何安全地使用aws-sdk javascript - how to securely use aws-sdk javascript REST API:安全处理Java SPA中的身份验证 - REST API: Securely Handle Authentication in a Javascript SPA 使用Facebook JavaScript SDK - Using the Facebook JavaScript SDK 使用Javascript中的Facebook SDK注销 - Logout with Facebook SDK in Javascript Facebook javascript SDK没有响应 - Facebook javascript SDK not responding Facebook SDK Javascript和PHP - Facebook SDK Javascript and PHP jQuery和Facebook Javascript SDK - jQuery and Facebook Javascript SDK 适用于Facebook的JavaScript SDK - JavaScript SDK for Facebook
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM