PHP Slim API中的查询字符串JWT JSON Web令牌认证

这是一个关于在Slim PHP API中实现JWT的最佳方法的问题 - 我正在寻找一些指导 来自高级/有经验的开发人员如何继续。</ p>

我目前有一个开放的API,用户可以使用查询参数(如设备和日期时间范围)来执行获取请求以获取数据。 我也有POST数据的设备,没有身份验证。 我们还没有投入生产,但显然这很糟糕。</ p>

为了解决这个问题,我一直在寻找在第一种情况下对GET请求实施无状态认证,特别是使用JWT 。 我最初想过将JWT作为查询字符串传递,并在用户登录后通过Web前端重置令牌的选项。但是,我可以看到这对于中间人攻击是不好的 并且我的令牌被暴露(如果使用普通的http)。 如果我要确保所有的get / post请求都是作为https请求执行的,那么这是否足够安全?</ p>

通过令牌传递令牌的方式似乎更安全 头。 但是根据我对此的理解,你需要像Postman这样的东西能够发送请求,这不是一个真正的选择,因为我的用户只想使用他们的浏览器来访问数据。</ p>
</ DIV>

展开原文

原文

This is a question about the best way of implementing JWT in a Slim PHP API - I'm looking for some guidance from senior/experienced developers as to how to proceed.

I currently have an open API, where users can perform get requests with query parameters such as device and date-time range to pull data. I also have devices which are POSTing data, with no authentication. We're not in production yet, but obviously this is bad.

To tackle this, I've been looking at implementing stateless authentication on the GET requests in the first case, specifically using JWT. I initially thought about passing the JWT through as a query string, with options for resetting a token performed through the web front-end after a user has logged in. However, I can see this being bad for man-in-the-middle attacks and my token being exposed (if using plain http). If I was to make sure all get/post requests were performed as https requests, will this be sufficiently secure?

What seems to be the more secure way would be to pass the token through the header. But from what I understand about this, you'd need something like Postman to be able to send requests, which isn't really an option since my users want to access the data using their browser only.

1个回答

It's pointless using http, https is a must otherwise everyone in between the user and your server will see the password the responses can even be cached.

The token can be stored in a secure cookie which the browser will automatically include with each request. (The Slim Middleware for JWT has this functionality built in). Check out many available libraries at https://jwt.io/

Adding the token to the query string isn't needed if you use cookies, I would not recommend adding tokens to the query string as they are to easily leaked. (Users love copy&pasting URLs to each other, this would also leak the token)

Note: If you're not sure if JWT is right for you, check out: http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问