API authentication-How to generate tokens and sign when writing Android interfaces in PHP, and what is the rationale for verifying security

Source: Internet
Author: User
When writing the Android interface in PHP, how to generate tokens and sign, to ensure the principle of authentication security, if the Android request link is caught, send the same request, how to judge is a malicious request

Reply content:

When writing the Android interface in PHP, how to generate tokens and sign, to ensure the principle of authentication security, if the Android request link is caught, send the same request, how to judge is a malicious request

In general, tokens have an expiration date, and the expiration date is controlled to reduce the risk of being attacked.
Sign is designed to ensure the integrity of the data and not be tampered with by intermediaries.
If you add a timestamp to the request, at least you can't replay the data directly to the middleman.

It is advisable https to directly prevent the capture of the bag and to forge the request, let alone. Much more convenient than using sign.

If you want to use sign, it is generally the parameters of the request through the cryptographic signature to get a string of signed string to the server, the server also put the parameters in addition to the signature string of the same cryptographic signature operation, and the client came from the signature string comparison, if not match, it indicates that the request has been modified, is forged.

It is recommended to use JSON Web token to control token expiration time

OAuth does not explain, about the principle of reading Mr. Ruan's article
Http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html

App Interface Design

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.