WebApp Interface Security Design idea

In doing WEBQQ or app development, inevitably there will be an interface is authorized (such as query user sensitive information, etc.), then the interface security design thinking is very important.

Simply, save the login data in the app and transfer each time the interface is called

Programmers can always find a lazy way, some programs for the sake of convenience, after the user logs in, the user name and password are saved locally, and then each time the backend interface is called as a parameter pass. It's a good thing! But this method is as simple as holding a bag of money on the road and shouting, "Come and rob me!" Come on, rob me! ", a small sniffer will be able to take the user's password to the hand, if the user is accustomed to use a password in all places, then you make a catastrophe, hackers through the method of the library can yiguoduan all the information users.

Secure point: Request token once at login, then call interface with token

When the user logs on, the login information is passed to the background, the background through the encryption algorithm to generate tokens and tokens stored in the database or cache server, while the token back to the client, the interface calls with token parameters, the background by determining whether token is valid to give different permissions. (Ps:token algorithm MD5 (username+timestamp+ random string))

More secure: Regenerate into a sign

Use DeviceID and timestamps to regenerate a parameter sign, such as MD5 (Deviceid+timestamp+ip+token). Data request: Https://api.xx.com/api?tamp=12445323134&token=adcdaxdecagh&sign=FDK2434JKJFD334FDF2

Ps:token controls the validity period and sign guarantees data integrity.

Other design options: JSON Web Token

WebApp Interface Security Design idea