PHP REST API - 验证

我很遗憾在网站上提出另一个REST身份验证问题,但我真的需要得到一个完整的答案。 我有一个REST API,在其中我尝试登录单页网站(通过jquery)。</ p>

我想创建一个基于令牌的身份验证,但有一些步骤我仍然可以' 理解。</ p>

首先,我是否必须进行正常的身份验证才能在db中获取并存储用户登录名/密码?
我是否必须使用用户会话来存储令牌 ?
有人有我可以使用的PHP代码示例吗?</ p>

来源:</ p>


  • PHP rest API身份验证 </ li>
  • http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth- authentication / </ li>
    </ ul>

    -----------编辑--------------- </ p>

    好的,我有一些新闻需要补充。</ p>


    • 首先,是的我必须通过发送一对来进行正常的身份验证 login,sha1(login + passwd)</ li>
      < li>之后,不,永远不会像安全的方式一样使用会话来存储数据,登录和sha1(登录+ passwd)将存储在数据库或应用程序范围存储解决方案中,如haspmap。</ li>
    • 但如果你有一段PHP代码,我仍然需要你。 这就是我将答案作为编辑的原因。</ li>
      </ ul>
      </ div>

展开原文

原文

I'm sorry to put another REST Authenticate question on the website but I really need to get a complete answer. I have a REST API in which I try to log in a single page website (through jquery).

I want to create a token based authentication, but there is some step I still can't understand.

At first, do I have to make a normal authentication to get and store in db the user login/password ? Do I have to use the user session to store the token ? Does someone have an exemple of php code that I can use ?

source :

----------- EDIT ---------------

Ok, I have some news to add.

  • First, Yes I have to make a normal authentification by sending the pair login, sha1(login+passwd)
  • After, No, never use the session like a secure way to store data, the login and sha1(login+passwd) will be store in database or in a application scope storing solution, like an haspmap.
  • But I still need you if you have a piece of php code. It's the reason why I put my answer as an edit.

1个回答



哦,我只看到徽章“长时间没有观点,没有答案”,它把我带回来。
'' 我终于找到了答案:</ p>

寄存器是你只做过一次的事情所以你可以发送散列密钥而没有很好的保护。 (我的意思是反对嗅探)。</ p>

所以这是注册的方案:</ p>


  • 客户输入登录名和密码</ li >
  • 客户端发送登录,哈希(sha256(登录名+密码))</ li>
  • 服务器将此对存储在数据库中(您可以将其缓存在hashmap中以提高速度)</ li>

    </ ul>

    现在登录</ p>


    • 客户端:在html页面中通过休息服务或隐藏字段请求会话盐 。</ li>
    • 服务器:从datetime生成salt并随机存储在会话中</ li>
    • 客户端输入登录名和密码</ li>
    • 客户端javascript哈希 sha256(sha256(登录名+密码)+盐)并将对(登录,哈希)存储在localstorage中(html5,要小心现代化器或其他类似的东西,这对需要保持私密)</ li>
      < li>服务器检查是否(sha256(stored_hash_for_login + salt_in_session)= =哈希收到)</ li>
    • 服务器:如果可以存储与客户端共享的令牌</ li>
    • 客户端登录 </ li>
      </ ul>

      现在每次都是客户端 想要发出身份验证请求,他将使用以下方法:</ p>


      • 从localstorage获取对(登录,令牌)</ li>
      • 生成 请求的哈希是这样的:</ li>
      • hash_request = sha256(登录+ sha256(令牌+时间戳)+ sha256(令牌+ paramA)+ ...)</ li>
      • 该参数需要按字母顺序排列。</ li>
        </ ul>

        服务器收到请求(登录,时间戳,参数,hash_request),检查时间戳是否太旧, 从hashmap中的令牌生成hash_request以进行登录,并检查它是否相同。
        这样,您可以避免重放(时间戳)和清除密码。</ p>
        </ div>

展开原文

原文

Oh, I just see the badge "no view and no answer for a long time" and it bring me back here. I've finally found the answer :

The register is something you do only one time so you can send the hash key without a really good protection. (I mean against sniffing).

So here is the scenario to register :

  • Client enter login and password
  • Client sends login, hash (sha256(login + password))
  • The server store this pair in database (you can cache it in hashmap to increase speed)

Now for the login

  • Client : ask for a session salt throught a rest service or hidden field in html page.
  • Server : generate the salt from datetime and random and store in session
  • Client enter the login and password
  • Client javascript hash sha256(sha256(login + password) + salt) and store the pair (login, hash) in the localstorage (html5, be carefull to modernizer or other stuff like this, this pair need to stay private)
  • Server check if (sha256(stored_hash_for_login + salt_in_session) == hash received)
  • Server : if it's ok store the token shared with the Client
  • Client logged in

Now Everytime the client want to make a authenticate request, he will use the following method :

  • get the pair (login, token) from localstorage
  • generate a hash of is request like this :
  • hash_request = sha256(login + sha256(token + timestamp) + sha256(token + paramA) + ...)
  • The param need to be in alphabetic order.

The Server receive the request (login, timestamp, params, hash_request), check if the timestamp is not too old and do the generate the hash_request from the token in hashmap for the login and check if it the same. In this way, you avoid the replay (timestamp) and the clear password.

duanhuhong5255
duanhuhong5255 这太棒了! 谢谢!
大约 4 年之前 回复
dopgv00024
dopgv00024 谢谢你的回答。
6 年多之前 回复
立即提问
相关内容推荐