dsgdfh302506 2016-10-06 08:59
浏览 704
已采纳

Authorization标头中的多个参数不能与Basic Auth一起使用

I am creating a basic API using Basic Auth over SSL. The API will be used in a mobile application and allow the creation of an account, with other fairly basic features.

I have decided to hard-code a API key into the mobile application to pass to the API to make it a bit harder for a hacker to access parts of the API that don't require a login (basic auth). Based on what I've read, the API key should be stored in the Authorization header in the HTTP request.

Authorization header:

Key ~@3o42jf!34vm3.!

My PHP API then readers the header and ensures that the key is correct. If it is, basic elements of the API are available.

The problem comes when trying to perform a task that requires a login to be passed to the API. My Authorization header then looks like this:

Key ~@3o42jf!34vm3.! Basic c3RhY2tAZ21haWwuY29tOnRlc3RpbmcxMjM=

The API can still read the key, but the email/password string that I access with $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are now not set. Is the only way to get around this to read the header manually through apache_request_headers()?

  • 写回答

1条回答 默认 最新

  • dongyu9894 2016-10-06 09:03
    关注

    Since this is a custom header, you should use a separate identifier for it. For example:

    X-Api-Key: ~@3o42jf!34vm3.!
    

    And then you can leave the basic auth header as it is (since it indeed won't work if you insert custom data in it).

    On the PHP side, your custom header can be accessed with $_SERVER['HTTP_X_API_KEY']

    Also make sure that your request headers are in the correct format. It should be like this:

    GET /api/v1/tickets HTTP/1.1
    Host: 123.123.123.123
    Authorization: Basic c3RhY2tAZ21haWwuY29tOnzzz3RpbmcxMjM=
    X-Api-Key: z7='sL(=}24qv'3F
    Cache-Control: no-cache
    Postman-Token: e657c66f-2db1-bf76-78c5-777305b5bfe6
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥115 用Java解决探地雷达dzt文件的解析过程
  • ¥20 有关神经网络这道(b)determine the parameters of neural network
  • ¥25 annaconda jvpyter
  • ¥20 来一个会抓包app支付接口的
  • ¥30 vivado2017.4的sdk打不开
  • ¥50 matlab,文献复现
  • ¥20 寻找Flink CDC指导,有偿咨询
  • ¥15 cruise如何仿真不同温度下车辆的经济性?
  • ¥20 扑克牌游戏的完整代码
  • ¥88 求帮安装Python架构的vnpy