API authentication-How to generate tokens and sign when writing Android interfaces in PHP, and what is the rationale for verifying security

When writing the Android interface in PHP, how to generate tokens and sign, to ensure the principle of authentication security, if the Android request link is caught, send the same request, how to judge is a malicious request

Reply content:

When writing the Android interface in PHP, how to generate tokens and sign, to ensure the principle of authentication security, if the Android request link is caught, send the same request, how to judge is a malicious request

In general, tokens have an expiration date, and the expiration date is controlled to reduce the risk of being attacked.
Sign is designed to ensure the integrity of the data and not be tampered with by intermediaries.
If you add a timestamp to the request, at least you can't replay the data directly to the middleman.

It is advisable https to directly prevent the capture of the bag and to forge the request, let alone. Much more convenient than using sign.

If you want to use sign, it is generally the parameters of the request through the cryptographic signature to get a string of signed string to the server, the server also put the parameters in addition to the signature string of the same cryptographic signature operation, and the client came from the signature string comparison, if not match, it indicates that the request has been modified, is forged.

It is recommended to use JSON Web token to control token expiration time

OAuth does not explain, about the principle of reading Mr. Ruan's article
Http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html

App Interface Design

