令牌认证休息API会话

I am using the Slim Framework to create a stateless REST API. Before using this I created a SESSION on server side with session check on every page. But now, I don't know how to control it.

I have an api_key in my database for each user. After a user signin, I respond with a api_key and redirect the user to index.php. But the api_key is not retained. How can I pass the api_key to each page with Javascript? Reason being if someone wants data from my REST API, they have to send me an api_key and also if the user logged in before I don't want to show login page again.

Here is my REST API part:

$app->post('/userlogin', function() use ($app) {
    verifyRequiredParams(array('email', 'password'));
    $email = $app->request->post('email');
    $password = $app->request->post('password');

    $objUserRegLog = new UserRegistrationLogin;
    $result = $objUserRegLog->getUserByEmailAndPassword($email, $password);
    if (!$result) {
        $response["error"] = true;
        $response["message"] = "Error! Invalid e-mail address or password.";
    } else {
        $response["error"] = false;
        $response["id"] = $result["id"];
        $response["email"] = $result["email"];
        $response["api_key"] = $result["api_key"];
    }
    echoResponse(200, $response);
});

$app->get('/students', 'authenticateStudent', function() use ($app) {
    $objStd = new Students;
    $result = $objCases->getAllStudents();
    if (!$result) {
        $response["error"] = true;
        $response["error_msg"] = "An error occured.";
        $status_code = 404;
    } else {
        $response["error"] = false;
        $response["cases"] = $result;
        $status_code = 200;
    }
    echoResponse($status_code, $response);
});

function authenticateStudent(\Slim\Route $route) {
    $headers = apache_request_headers();
    $response = array();
    $app = \Slim\Slim::getInstance();

    if (isset($headers['Authorization'])) {
        $db = new DbOperation();
        $api_key = $headers['Authorization'];
        if (!$db->isValidStudent($api_key)) {
            $response["error"] = true;
            $response["message"] = "Access Denied. Invalid Api key";
            echoResponse(401, $response);
            $app->stop();
        }
    } else {
        $response["error"] = true;
        $response["message"] = "Api key is misssing";
        echoResponse(400, $response);
        $app->stop();
    }
}

And the call with AJAX :

$.signin = function() {
    var inputVals = $("#form_signin").serialize();
    $.ajax({
        url : "api/v1/userlogin",
        data : inputVals,
        dataType : "json",
        type : "post",
        success : function(response) {
            if (response.error) {
                $(".popup").trigger("click");
                $(".modal-title").html(response.message_title);
                $(".modal-body").html(response.message);
            } else {
                window.location.href = "index.php";
            }
            console.log(response);
        }
    });
    return false;
}
douxianji6104
douxianji6104 如果你信任用户,那么cookie是安全的。对于令牌来说,这完全没问题。
4 年多之前 回复
dongpan9760
dongpan9760 ValverdePareja你能举个例子吗?饼干安全吗?
4 年多之前 回复
dongsu0308
dongsu0308 你为什么不用饼干?
4 年多之前 回复

2个回答



嗯,您需要了解客户端发送给您服务器的每个请求都是独立的,因此您需要放置一个变量(令牌) )在客户端系统中,为了让他在每个请求中发送它,所以你知道谁一直在与你的服务器通话。 开始阅读: http://www.w3schools.com/php/php_cookies.asp </ p>

一旦了解了Cookie的工作原理和方式,请尝试进一步阅读有关身份验证和授权主题的内容。</ p>
</ div>

展开原文

原文

Well, you need to understand that every request the client sends to your server is independent, so you need to put a variable (the token) in the client system in order to let him to send it in every request, so you know who is talking to your server all the time. Start reading this: http://www.w3schools.com/php/php_cookies.asp

Once you understand what are and how cookies work, try to read further about authentication and authorization topics.

You have three ways to provide such information.

Cookies

In most cases, if you have a login screen, you want to use cookies as mentioned by Hector. One potential problem with cookies, some people do not want them from "random" websites. However, the good thing is you can close your tab, reopen it, and you can still be logged in (it depends on the type of cookie, but in most cases you want to use this type).

Query String

One other way, tedious, is to add a query string parameter with the session identifier. This also means you must make sure that each single link on your page includes that session identifier. Also, it is generally viewed as a security issue because people who look over your shoulder can see the session identifier (frankly, unless they have a photographic memory...) For people who block cookies, this is another way. However, since it is using the exact same type of session identifier, you may be infringing on what the user meant when blocking cookies.

HTML Code

The last way, which requires even more work, is to put the value in the HTML. For example, you could use a <meta ...> tag. At least that way it is hidden from people looking over your shoulder. But you still need to transmit it when someone clicks on your links, somehow. That means you must load any other page using a POST in JavaScript. That's rather unconventional. And just like with the previous method. You may be infringing on the user's will of "no tracking please".

What about Security?

The most secure is to have an HTTPS connection with a cookie marked as HTTP-only (i.e. JavaScript cannot access it, so it cannot temper with it.)

All other methods have additional security issues.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐