JavaScript-front-end JS Ajax calls PHP Write API interface, how to card master security, prevent illegal call it?

The front-end JS Ajax calls PHP Write API interface, how to card master security, prevent illegal call it?

Reply content:

The front-end JS Ajax calls PHP Write API interface, how to card master security, prevent illegal call it?

I encountered the problem of the Lord in a WebApp project. Because APIs are prepared for apps, interacting with Ajax and APIs in WebApp also has to be used when interacting with the API.

When making a request to the API, there are two possible scenarios, one being a user login and one that is not logged in. In either case, the following is the way to go, but use different tokens when using tokens. The login user uses the Nonce token generated by the server at login, which is unique, while the user app is not logged in when the request is carried by a service-side and client-agreed token (as confidential as possible).

In the API design, as much as possible to follow the restful style, so in the submission of information, the token used for authentication is placed in the header, token authentication is designed I am the idea:

1. App login, the server creates tokens (token is encrypted string, can be decrypted, decrypted data contains login user information or non-user signed in the state of the agreed token), and the app and server side of the time difference in the Redis, and return the token to App,app to save it locally, using HTML5 's localstorage to easily

2. When the app requests the API interface, it passes in a access_token, which is access_token by token and timestamp, guaranteeing that each access_token is different, this Access_ Token is valid for a short period of time, as long as it is guaranteed to be effective in the case of the net speed comparison slag

3. After receiving this access_token, the service side, after decryption, extracts the data from the corresponding token from the Redis, compares the time difference, considers that it is invalid, and obtains the token corresponding to the USER_ID or whether the token is the agreed value.

This idea can:

1. Deny illegal calls that don't carry Access_token

2. Prevent inadvertent crawling to a access_token and want to use the Access_token for a massive Attack

Of course, encryption and decryption here will sacrifice some performance, this is just one of my ideas.

CSRF token

Token technology can be used to avoid being called by third-party programs

Lily, please.

• Token encryption backend After the token and the code to write the value of the encrypted data to compare and judge

Plus a token and back-end fit, pure front end solution I'd like to know if there's any.

Thank you, and I answered this question a little bit like, directly connected to the
https://segmentfault.com/q/1010000005057679?_ea=768330

JWT Token + HTTPS

Plus signature and other means is basically to improve the illegal call difficulty just, really want to play you have no eggs to use.
Above said HTTPS, also can only prevent other user's authorization information leaks, a little useful

It is generally said that the token I am useless I use the anti-theft chain.

• The back end determines the cookie.

• When transmitting, add a token verification.

