app-User login and information transfer design

One: From the transport Protocol,

Ensure login security, preferably using HTTPS

Secure Hypertext Transfer Protocol

Secure Hypertext Transfer Protocol, need to request a certificate

Two: Process model

(1) The server accepts the user name and password sent by the app to verify that the user name and password are correct

If the validation is correct, generate a random, non-repeating toker string that maintains a mapping table in Redis such as Token=>id

(2) The server returns the token string to App,app to save the token string as a login validation

(3) When you need to verify the user's identity operation, the token must be passed to the server Yue Heyue, the server with this token to correspond with the user information

(4) The token and the map are deleted when the user exits

The approximate model is this sample, from which we find that as long as the URL gets down to get token to simulate, below we use the URL signature to further optimize

Three: URL signature

The above model relies on token, and if the URL leaks then token also leaks

How to place a leak, we can not let token on the Internet transmission

Approximate steps:

(1) After the server authenticates the user name password, return the token and ID to the client

(2) The token string and ID are MD5 signed, then the transmission is sign= "MD5" &id=x

(3) When the server accepts the request, and then uses the same signature method to verify, and finds the equivalent then continues to execute

(4) There is also a problem when someone intercepts this request can use the same request address to call repeatedly, so we can add a timestamp to place the repeated call

Synchronize local time with server time when the app starts, and the time gap is too long to expire

There are risks:

(1) When the user first verifies the account password is clear text returns, has the risk of being intercepted

(2) URL signature only protects token value, but cannot protect other sensitive information

Four: Protect information with AES symmetric encryption

Single key, encrypted at client, decrypted on server

When the first user name password is successfully validated, the Token+aes key is returned, and subsequent requests can be delivered with AES (token+ content)

app-User login and information transfer design