dpkrbe395930
dpkrbe395930
2009-11-17 23:02
浏览 44
已采纳

在JSON Web服务中验证和跟踪用户

I have contact management / CRM application used in-house by our company, It is a web based app and thus uses a lot of Ajax. Most of the data is JSON, and the backend server uses PHP with MySQL as the database...

I would like to build a mini Adobe Air version of that, mostly because I can use Drag and Drop file uploads, client side image resizing, client side screenshot creation of uploaded files etc. etc.

Now, because the server side is a glorified JSON data provider, I figure I can adapt it to provide data to the AIR app.

My problem is, how do I handle authentication?
In PHP I use sessions for authentication...
For AIR i figure it will be more like a JSON webservice, where you call a certain URL to access certain JSON data.

After a bit of brainstorming, here is what I came up with:

  1. The user logs in when the AIR app starts
  2. The server returns an unique token on successful login, and stores that token in the DB
  3. The AIR app has to append that token to every request it makes to the server
  4. On every request, the server checks the validity of the token by comparing it to the one stored in the DB.

The questions are,
is there a better way than this?
How long should the token be valid for?
How do i handle clients that close the application without logging out, and without giving me a chance to nullify the token on the server?

If anyone has been in a similar situation, I hope to be enlightened by your answers...

thanks

图片转代码服务由CSDN问答提供 功能建议

我有我们公司内部使用的联系人管理/ CRM应用程序,它是一个基于Web的应用程序,因此使用 很多Ajax。 大多数数据都是JSON,而后端服务器使用PHP和MySQL作为数据库......

我想构建一个迷你Adobe Air版本,主要是因为我可以使用 拖放文件上传,客户端图像大小调整,客户端屏幕截图创建上传文件等等。

现在,因为服务器端是一个美化的JSON数据提供者,我想我可以 调整它以向AIR应用程序提供数据。

我的问题是,如何处理身份验证?
在PHP中我使用会话进行身份验证...
AIR我认为它更像是一个JSON Web服务,您可以在其中调用某个URL来访问某些JSON数据。

经过一些头脑风暴后,我想出了以下内容:< / p>

  1. 用户在AIR应用程序启动时登录
  2. 服务器在成功登录时返回唯一令牌,并将该令牌存储在数据库中
  3. AIR应用程序必须将该标记附加到它对服务器发出的每个请求
  4. 在每个请求上,serv 通过将令牌与存储在数据库中的令牌进行比较来检查令牌的有效性。

    问题是,有没有比这更好的方法 ?
    令牌何时有效?
    如何处理关闭应用程序但未注销的客户端,并且没有给我机会取消服务器上的令牌? \ n

    如果有人遇到类似的情况,我希望你的答案得到启发......

    谢谢

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doushanmo7024
    doushanmo7024 2009-11-17 23:09
    已采纳

    How about this:

    1. simply returning the PHP Session ID in your JSON data to the AIR App upon authentication
    2. Your AIR app stores the Session ID and uses it for requests in that session
    3. when your PHP receives request with Session ID, set it to that session ID:
    4. Your session will be maintained easily by PHP and you will be able to use $_SESSION as per normal.

    When you receive a request with Session ID, simply do this:

    if(isset($_GET['sess_id'])){
      session_id($_GET['sess_id']);
      // where $_GET['sess_id'] is where you put the Session ID stored in your AIR APP
    }
    

    This might be better because you drop the need of maintaining Sessions in database.

    点赞 评论

相关推荐