PHP implementation of token for app interface design

In order to ensure the relative security of mobile and server data transmission, the interface needs to be encrypted and transmitted.

first, the purpose of Ttoken design:

Because the app side does not have the same session mechanism as the PC, it is not possible to determine whether the user is logged in or not, so a mechanism is needed to implement the session, which is the role of token

Token is the only ticket the user logs on, as long as the app comes with tokens and server-side consistent, you can prove that you have landed (just as you go to the movies, you need to buy tickets, you can get in with the ticket)

The type of token design: (1) third-party landing type: This token-shaped access_token, the design principle is in accordance with the OAuth2.0, which is characterized by timed refresh (e.g. two-hour refresh), because the data source must control its validity period and permissions when it assigns login permissions to third-party servers, or the third-party server can obtain arbitrary user data from the data source server indefinitely without user consent. (2) App Landing type: This token is the general app with tokens, because not through the third party, but the user directly take data source server data, so the design is more casual, just need to ensure that the uniqueness of its token is OK. Third, the app self-landing token implementation steps:

(1) Database user table Add token field and time_out This token Expiration Time field

(2) When the user logs in (automatic login is also required during registration) generate a token and expiration time into the table

(3) before the other interface calls , determine whether the token is correct , continue correctly, the error will allow the user to re-login

Four, the app self-login Token implementation code (the company's own framework and logic, mainly look at the logic, do not directly copy code):

(1) The following is the code to insert token into the database when the user logs in

$logininfo [' token '] = Appuser::settoken ();

$time _out = Strtotime ("+7 days");

DB::SETBYPK (' U_adver ', Array (' token1 ' = $logininfo [' token '], ' time_out ' = ' _out '), $logininfo [' id ']);

(2)//The following is the generation of token method code

Public static function Settoken () {

$STR = MD5 (UNIQID (MD5 (Microtime (TRUE)), true); Generate a string that will not be duplicated

$STR = SHA1 ($STR); Encryption

return $str;

}

(3) Here is the token verification code that each interface must invoke, verifying that the implementation is in (4)

　　$args [' token '] = $_post[' token '];

$tokencheck = Appuser::checktokens ($args [' token '], ' u_adver ');

if ($tokencheck! = 90001) {

$res [' msg_code '] = $tokencheck;

V_json ($res);

}

(4) Token verification method, DB:: Is the database Operation class, here is the token if the seven days are not called the need to re-login (that is, the user 7 days without the operation of the app will need to re-login), if an interface is called, the expiration Time will be re-refresh

Public static function Checktokens ($token, $table) {

$res = Db::getoneforfields ($table, ' time_out ', ' token1 =? ', array ($token));

if (!empty ($res)) {

if (Time ()-$res [' time_out '] > 0) {

return 90003; Token expires for a long period of time and needs to be re-logged

}

$new _time_out = time () + 604800;//604800 is seven days

if (Db::setwhere ($table, Array (' time_out ' = = $new _time_out), ' token1 =? ', array ($token))) {

return 90001; Token verification is successful, Time_out refresh is successful, interface information can be obtained

}

}

return 90002; Token error validation failed

}

PHP implementation of token for app interface design