最佳实践:如何在服务器上验证/授权AJAX调用
[英]Best practice: How to authenticate/authorize AJAX Calls on the server
问题描述
the last days I was wondering how is it done? 
最后几天我想知道它是如何完成的? How can you authenticate/authorize that the user is allowed to request the data via AJAX. 如何验证/授权用户可以通过AJAX请求数据。
For now I am using SESSIONS for auth.But this is only a minor protection. 目前我正在使用SESSIONS进行身份验证。但这只是一个小保护。
Let´s say I have some function called addUserToGroup($user_id,$group_id), which is called via 假设我有一些名为addUserToGroup($ user_id,$ group_id)的函数,它被称为via
EXAMPLE: www.mysite.com/addUserToGroup/1/2 ( user_id = 1 , group_id = 2 )
How can I check if this user is really allowed to join group_id=2? 如何检查该用户是否真的被允许加入group_id = 2? Everyone could just POST data to my server... 每个人都可以将数据发布到我的服务器......
One solution I found is using jcryption (public/private key method). 我发现的一个解决方案是使用jcryption(公钥/私钥方法)。 But I think,there must be an easier way to somehow check if user_id = 1 is allowed to join group_id = 2. 但我认为,必须有一种更简单的方法来检查user_id = 1是否允许加入group_id = 2。
Thanks in advance! 提前致谢!
3 个解决方案
解决方案1
2 2012-08-17 21:27:36
Add an extra field to your table users: is_allowed_to_join_2 int(1) 向表用户添加一个额外字段:is_allowed_to_join_2 int(1)
When the person logs in, set 当该人登录时,设置
$_SESSION['is_allowed_to_join_2'] = $user['is_allowed_to_join_2'] == 1 ? true : false;
And on the ajax call, in your php code: 在ajax调用中,在你的php代码中:
if( $_SESSION['is_allowed_to_join_2'] !== true )
{
exit("Not allowed");
}
解决方案2
1 2012-08-17 21:26:51
How can you authenticate/authorize that the user is allowed to request the data via AJAX.
The same way you auth/authz any other HTTP request. 与auth / authz任何其他HTTP请求的方式相同。
or now I am using SESSIONS for auth.
Sessions are a sensible way to track if a user is logged in, and who they are logged in as. 会话是一种合理的方式来跟踪用户是否已登录,以及他们以何种方式登录。
How can I check if this user is really allowed to join group_id=2?
The session data tells you who the user is. 会话数据会告诉您该用户是谁。
On top of that you implement your business logic to determine if they are allowed to join group 2. We can't tell you what that is because we don't know what the business logic is. 最重要的是,您实现业务逻辑以确定是否允许它们加入组2.我们无法告诉您这是什么,因为我们不知道业务逻辑是什么。
If, for example, only users in region 2 countries were allowed to join group 2 then your logic might be something like: 例如,如果只允许区域2国家/地区的用户加入第2组,那么您的逻辑可能类似于:
IF session exists
AND user is logged in
AND user's country is in region 2
THEN authorized
Determining if the user's country was in region 2 might be done with some SQL like 确定用户的国家/地区是否在区域2中可能会使用某些SQL来完成
SELECT user_id FROM members, countries WHERE user=:username AND members.country=countries.id AND countries.region=:region
解决方案3
1 已采纳 2012-08-17 21:55:40
I believe your question is about authorization, not authentication. 我相信你的问题是关于授权,而不是身份验证。 If I'm right, then presumably you already know who the user is (authentication, perhaps using a cookie or something). 如果我是对的,那么大概你已经知道用户是谁 (身份验证,可能使用cookie或其他东西)。
Now, you have to come up with a way of determining what they are allowed to do (authorization). 现在,您必须想出一种方法来确定他们可以做什么(授权)。
Authorization logic is really a key design decision. 授权逻辑确实是一个关键的设计决策。 As such, it's non-trivial and depends heavily on the shape of your data model and architecture of your application. 因此,它非常重要,并且在很大程度上取决于数据模型的形状和应用程序的体系结构。
If you can consistently determine whether this should be allowed by applying rules to the data, such as in Quentin's response above (where living in Region 2 is enough to make it such that the User may join Group 2), then it's usually simplest to put this logic in your entity model. 如果您可以通过对数据应用规则来一致地确定是否允许这样做,例如在Quentin上面的响应中(生活在区域2中足以使用户可以加入Group 2),那么通常最简单的实体模型中的这个逻辑。 In that case, I'd either create a method on User to check whether they can join the group... 在这种情况下,我要么在User上创建一个方法来检查他们是否可以加入该组...
function canJoinGroup($group) {
//if(all is well), then:
return true
}
Or create a method to join them which throws an error if disallowed: 或者创建一个连接它们的方法,如果不允许则抛出错误:
function joinGroup($group) {
//if(all is well), then:
return true;
//otherwise:
throw new Exception("User ". $this->id ." cannot join group " . $group->id);
}
You could also add a function to Group which delegates to this new User function: 您还可以向Group添加一个函数,该函数委派给这个新的User函数:
function addUser($user) {
$user->joinGroup($this);
}
OTOH, If the decisions about who can do what are based on more granular permissions, or based on information an administrator or user needs to be able to change at runtime, then you will have to get a lot fancier. OTOH,如果关于谁可以做什么基于更细粒度的权限,或者基于管理员或用户需要能够在运行时更改的信息的决定,那么你将不得不获得更多的发烧友。 A commonly-used, versatile, and flexible approach is called Role-Based Access Control (aka RBAC). 常用的,通用的和灵活的方法称为基于角色的访问控制 (又称RBAC)。
This can get extremely sophisticated, but the core concept, applied to your case, is that you have a User, and Entity (the Group) and an Operation (join). 这可能会非常复杂,但适用于您的案例的核心概念是您拥有用户,实体(组)和操作(加入)。 You need to determine whether User 1 is allowed to do the Operation called 'join' with Group 2 as an argument. 您需要确定是否允许用户1以组2作为参数执行名为“join”的操作。
In order to do this, you will have to keep a set of rules somewhere, and then do two things: 为了做到这一点,你必须在某处保留一套规则,然后做两件事:
- keep these tables up-to-date when new Users and Groups are added to the system, or when an Administrator changes their permissions 将新用户和组添加到系统时,或管理员更改其权限时,请使这些表保持最新
- check these tables with each request to see if the User can perform the Operation on the Entity (check whether the User can Join the Group ) 检查这些表是否包含每个请求,以查看用户是否可以对实体执行操作(检查用户是否可以加入 组 )
I won't get into the low-level details of this use case. 我不会深入了解此用例的低级细节。 Suffice it to say that, if what you're trying to accomplish today will eventually need to grow into a fairly sophisticated permissions system, you'd do well to study up on RBAC. 可以这么说,如果你今天要完成的任务最终需要发展成为一个相当复杂的权限系统,那么你最好先研究一下RBAC。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.