Api Design-php interface token data encryption

Source: Internet
Author: User
I recently used php to write the app interface. I have some questions about the token (token) first) the token is the user token generated when the user logs on. The user token is saved to the database on the server. the client caches the token in most local interfaces and requires the client to send the token and the token in the server database for verification... I have some questions about using php to write app interfaces recently.

First about the token (token)
The token is generated when the user logs on.
If the user token is saved to the database on the server side, the client will be cached on most local interfaces and the client will be required to send the token and the token in the server database for verification.

Each user's unique token is composed of the year and month and the client machine code to identify the user ID.
(The date and month is the machine code used to guarantee the login retention period. it is used to quickly identify the login source and determine whether to re-log on to the important credential. the user ID is actually added by the way)

The problem arises.
=. = This is just like session.
** If you capture the package directly
Each user uses the same token as a platform client to defend against attacks **
In addition, this token is based on the user, so the user's login registration verification (anti-robot) verification cannot help with this token.
=. = I'm still designing another code for verification (is there a way to verify the login registration on this token idea)

Reply content:

I have some questions about using php to write app interfaces recently.

First about the token (token)
The token is generated when the user logs on.
If the user token is saved to the database on the server side, the client will be cached on most local interfaces and the client will be required to send the token and the token in the server database for verification.

Each user's unique token is composed of the year and month and the client machine code to identify the user ID.
(The date and month is the machine code used to guarantee the login retention period. it is used to quickly identify the login source and determine whether to re-log on to the important credential. the user ID is actually added by the way)

The problem arises.
=. = This is just like session.
** If you capture the package directly
Each user uses the same token as a platform client to defend against attacks **
In addition, this token is based on the user, so the user's login registration verification (anti-robot) verification cannot help with this token.
=. = I'm still designing another code for verification (is there a way to verify the login registration on this token idea)

This problem is extremely simple, taking php as an example.
HoweversessionDifferent fromcookiesIt's a little close. this is designed to solve the problem of cookie value transfer.

First, during the login process, the user submits data to the server due
username,password,client_key
After receiving the data from the server, php uses the verification algorithm to obtain the verification value, as shown in figuremd5.
(Ps: No password is required. otherwise, users can log on quickly after changing the password. is this difficult)
$saltIsEncryption keyTo prevent others from guessing the encryption algorithm.

$token=md5($username.$password.date('yyyy').date('mm').$client_key.$salt);

After the calculation is complete$tokenReturn to the client for storage. In the future, the client only needs to send$tokenAnd user name.

When php receives this$tokenJust perform the preceding Operation again to check whether the operation is consistent.

To prevent malicious registration and loginclient_keyEncryption and server-side decryption for verification. However, this is useless,All client code is insecure. it can be analyzed by decompiling and anti-obfuscation, and then forged.Therefore, client encryption is meaningless.
In addition, it is also a way for the server to judge by ip address.
However, in terms of the root cause, to prevent malicious attacks, you need to verify the mobile phone number to register. Currently, this method is basically used.

I am also writing, but it has not been implemented yet

1. if the user logs on through the token verification, it is similar to the cookie in the app. it is no problem for the user to log on to the app. if the user logs on to the client, the user needs to log on again, obtain the machine code of the client again during verification.

In addition, the token of the client can also be complicated. it can be encrypted with js and parsed after being obtained in php.

Although token is not safe to some extent, it is safer than passing the user password.
Token is generally used in stateless and non-cookies mode. if token is used as the sessionID in cookies.
Although token is not safe, it can still be trusted by a certain degree of authentication mode.

I wrote a blog just recently. although it didn't involve some technical details, I still have some ideas. let's see if it helps you.

First, make it clear that,TokenIt is used to authenticate the identity after login, so you have rejected it from the beginning and you are looking forward to using it for anti-malicious registration. Next, let's talk aboutTokenAndSessionWhat is the difference?TokenMore customized, because it is implemented by you, it can do a lotSessionIt is inconvenient to do things, such as better device authentication, more convenient control of the validity period, better cross-platform ...... Most importantly, HTTP is defined as stateless, whileCookieThe existence of such a thing is undoubtedly detrimental to the definition of stateless, so almost all interfaces refuse to useCookie, AbandonedCookie, ThatTokenNaturally, it became the first choice for verification. Finally,TokenSecurity focuses on the fact that it will not be cracked, it will not be tampered with, rather than whether it will be intercepted during transmission and cause an intermediary attack. The interception protection should be implemented by enhancing the security during transmission, such as adding a parameter signature or directly accessing HTTPS.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.