douzhuang1900 2014-03-26 09:14
浏览 72
已采纳

PHP REST API - 验证

I'm sorry to put another REST Authenticate question on the website but I really need to get a complete answer. I have a REST API in which I try to log in a single page website (through jquery).

I want to create a token based authentication, but there is some step I still can't understand.

At first, do I have to make a normal authentication to get and store in db the user login/password ? Do I have to use the user session to store the token ? Does someone have an exemple of php code that I can use ?

source :

----------- EDIT ---------------

Ok, I have some news to add.

  • First, Yes I have to make a normal authentification by sending the pair login, sha1(login+passwd)
  • After, No, never use the session like a secure way to store data, the login and sha1(login+passwd) will be store in database or in a application scope storing solution, like an haspmap.
  • But I still need you if you have a piece of php code. It's the reason why I put my answer as an edit.
  • 写回答

1条回答 默认 最新

  • doushu0591 2014-06-01 13:04
    关注

    Oh, I just see the badge "no view and no answer for a long time" and it bring me back here. I've finally found the answer :

    The register is something you do only one time so you can send the hash key without a really good protection. (I mean against sniffing).

    So here is the scenario to register :

    • Client enter login and password
    • Client sends login, hash (sha256(login + password))
    • The server store this pair in database (you can cache it in hashmap to increase speed)

    Now for the login

    • Client : ask for a session salt throught a rest service or hidden field in html page.
    • Server : generate the salt from datetime and random and store in session
    • Client enter the login and password
    • Client javascript hash sha256(sha256(login + password) + salt) and store the pair (login, hash) in the localstorage (html5, be carefull to modernizer or other stuff like this, this pair need to stay private)
    • Server check if (sha256(stored_hash_for_login + salt_in_session) == hash received)
    • Server : if it's ok store the token shared with the Client
    • Client logged in

    Now Everytime the client want to make a authenticate request, he will use the following method :

    • get the pair (login, token) from localstorage
    • generate a hash of is request like this :
    • hash_request = sha256(login + sha256(token + timestamp) + sha256(token + paramA) + ...)
    • The param need to be in alphabetic order.

    The Server receive the request (login, timestamp, params, hash_request), check if the timestamp is not too old and do the generate the hash_request from the token in hashmap for the login and check if it the same. In this way, you avoid the replay (timestamp) and the clear password.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Marscode IDE 如何预览新建的 HTML 文件
  • ¥15 K8S部署二进制集群过程中calico一直报错
  • ¥15 java python或者任何一种编程语言复刻一个网页
  • ¥20 如何通过代码传输视频到亚马逊平台
  • ¥15 php查询mysql数据库并显示至下拉列表中
  • ¥15 freertos下使用外部中断失效
  • ¥15 输入的char字符转为int类型,不是对应的ascall码,如何才能使之转换为对应ascall码?或者使输入的char字符可以正常与其他字符比较?
  • ¥15 devserver配置完 启动服务 无法访问static上的资源
  • ¥15 解决websocket跟c#客户端通信
  • ¥30 Python调用dll文件输出Nan重置dll状态