douzhuang1900
2014-03-26 09:14
浏览 72
已采纳

PHP REST API - 验证

I'm sorry to put another REST Authenticate question on the website but I really need to get a complete answer. I have a REST API in which I try to log in a single page website (through jquery).

I want to create a token based authentication, but there is some step I still can't understand.

At first, do I have to make a normal authentication to get and store in db the user login/password ? Do I have to use the user session to store the token ? Does someone have an exemple of php code that I can use ?

source :

----------- EDIT ---------------

Ok, I have some news to add.

  • First, Yes I have to make a normal authentification by sending the pair login, sha1(login+passwd)
  • After, No, never use the session like a secure way to store data, the login and sha1(login+passwd) will be store in database or in a application scope storing solution, like an haspmap.
  • But I still need you if you have a piece of php code. It's the reason why I put my answer as an edit.

图片转代码服务由CSDN问答提供 功能建议

我很遗憾在网站上提出另一个REST身份验证问题,但我真的需要得到一个完整的答案。 我有一个REST API,在其中我尝试登录单页网站(通过jquery)。

我想创建一个基于令牌的身份验证,但有一些步骤我仍然可以' 理解。

首先,我是否必须进行正常的身份验证才能在db中获取并存储用户登录名/密码? 我是否必须使用用户会话来存储令牌 ? 有人有我可以使用的PHP代码示例吗?

来源:

  • PHP rest API身份验证
  • http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth- authentication /

    -----------编辑---------------

    好的,我有一些新闻需要补充。

    • 首先,是的我必须通过发送一对来进行正常的身份验证 login,sha1(login + passwd) < li>之后,不,永远不会像安全的方式一样使用会话来存储数据,登录和sha1(登录+ passwd)将存储在数据库或应用程序范围存储解决方案中,如haspmap。
    • 但如果你有一段PHP代码,我仍然需要你。 这就是我将答案作为编辑的原因。
  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 邀请回答

1条回答 默认 最新

  • doushu0591 2014-06-01 13:04
    最佳回答

    Oh, I just see the badge "no view and no answer for a long time" and it bring me back here. I've finally found the answer :

    The register is something you do only one time so you can send the hash key without a really good protection. (I mean against sniffing).

    So here is the scenario to register :

    • Client enter login and password
    • Client sends login, hash (sha256(login + password))
    • The server store this pair in database (you can cache it in hashmap to increase speed)

    Now for the login

    • Client : ask for a session salt throught a rest service or hidden field in html page.
    • Server : generate the salt from datetime and random and store in session
    • Client enter the login and password
    • Client javascript hash sha256(sha256(login + password) + salt) and store the pair (login, hash) in the localstorage (html5, be carefull to modernizer or other stuff like this, this pair need to stay private)
    • Server check if (sha256(stored_hash_for_login + salt_in_session) == hash received)
    • Server : if it's ok store the token shared with the Client
    • Client logged in

    Now Everytime the client want to make a authenticate request, he will use the following method :

    • get the pair (login, token) from localstorage
    • generate a hash of is request like this :
    • hash_request = sha256(login + sha256(token + timestamp) + sha256(token + paramA) + ...)
    • The param need to be in alphabetic order.

    The Server receive the request (login, timestamp, params, hash_request), check if the timestamp is not too old and do the generate the hash_request from the token in hashmap for the login and check if it the same. In this way, you avoid the replay (timestamp) and the clear password.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题