A question about token verification in the interface between APP and web server?-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

A question about token verification in the interface between APP and web server?

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 06, 2016 pm 01:31 PM

apiheadertokenuser

If I get all the parameters and headers such as api_token, user_token, etc. through packet capture, then in a short period of time, I can directly bring the parameters I obtained, and the verification rules will still pass. Can I use this interface? The only way I can think of is to shorten the token verification time. I wonder how the masters solved this problem?

Reply content:

This is what tokens do... aren't they just designed for you to use? The main purpose of designing the token is not to save the user's username and password for a long time, so it is converted into a random code. This code itself has the function of replacing the username and password, so once it is leaked, the natural consequences will be serious.
Nowadays, APIs with high security levels can generally only use HTTPS. In this way, the content of the connection cannot be captured from the middle of the path, so the token will not be leaked to others. As for the two ends, one is originally the user and the other is your own server. This token is the content that should be shared between both parties.
There was another design in the past that used two values api_key and secret_key, where api_key is transmitted in clear text in HTTP, while secret_key does not appear in HTTP clear text, but participates as part of the MD5 Hash, generally the entire URL parameter Normalize (sort by parameter name, uniformly convert to lowercase, and correctly encode the URL), then add secret_key, calculate MD5, and then pass MD5 as an additional sig parameter through HTTP, so that even if the package is caught in the middle, it can only If you see api_key but not secret_key, you cannot use this interface freely. But this design has weaknesses for replay. Although I can't freely recombine parameters, I can reuse previously captured parameters, which is still unsafe; moreover, there is a lack of a means to safely distribute secret_key to the terminal. . So it is actually more effective to use HTTPS directly.

As a reference, let’s take a look at the design of OAuth 2.0. OAuth 2.0 is a third-party login that involves the relationship between users, authentication centers, and third-party applications. The problems it encounters are more complicated. We can see how it obtains the token and prevents the token from being leaked to parties that should not be leaked:

The OAuth server and the third-party server know the same api_key, secret_key at the same time
User and The third-party server knows the api_key at the same time (usually carried by a third-party application or Web page)
The user and the OAuth server know the same username and password at the same time, and the third-party application does not know
User application When a third party logs in, use api_key to call the OAuth server login interface (generally guided by a third-party application), use the OAuth server page to enter the username and password, and the OAuth server returns auth_code, which can be regarded as a temporary token. This step must use https to ensure that the username and password are not stolen.
Users use auth_code to call the interface of third-party applications (usually completed automatically by the callback mechanism). This step can use HTTP, so auth_code may be leaked
Third-party applications use auth_code api_key secret_key to call OAuth The second step of the server's login interface is to obtain the access_token, which is the official token. Although the auth_code may be leaked, since the secret_key cannot be obtained by the attacker, the auth_code cannot be used in exchange for the token. This step must use HTTPS to ensure that secret_key is not leaked.

At this point, the third-party application has successfully obtained the access_token, and this access_token is only shared between the OAuth server and the third-party server and will not be leaked to third parties including users. It can be seen that this process mainly relies on the encryption features of HTTPS to ensure that the most important data (username, password, secret_key) are not leaked. In addition, tokens with different security levels should have different timeouts. For example, auth_code has a very short timeout, while access_token has a relatively long timeout.

The interface uses https, and the captured packets are all garbled. But is there also a way to pretend to be a middleman? Thank you...
The most extreme method:
Each token is only valid once...

Of course, this involves a lot of read and write operations.
SO… I don’t usually do this… Random number plus token plus timestamp are used for md5 signature, and the signature, random number and timestamp are sent to the server together. This is not the case. On the server side, the session must be judged first, and only after passing it will it enter the token verification we wrote. 1: https;
2: The authentication module is independent, the token is entered into the session, and verified again. This is related to the design of the authentication;
3: The token is changed frequently, depending on the business importance;

The above personal opinions may not be rigorous.

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

如何快速把你的 Python 代码变为 APIApr 14, 2023 pm 06:28 PM

提到API开发，你可能会想到DjangoRESTFramework，Flask，FastAPI，没错，它们完全可以用来编写API，不过，今天分享的这个框架可以让你更快把现有的函数转化为API，它就是Sanic。Sanic简介Sanic[1]，是Python3.7+Web服务器和Web框架，旨在提高性能。它允许使用Python3.5中添加的async/await语法，这可以有效避免阻塞从而达到提升响应速度的目的。Sanic致力于提供一种简单且快速，集创建和启动于一体的方法

登录token无效怎么办Sep 14, 2023 am 11:33 AM

登录token无效的解决办法有检查Token是否过期、检查Token是否正确、检查Token是否被篡改、检查Token是否与用户匹配、清除缓存或Cookie、检查网络连接和服务器状态、重新登录或请求新的Token、联系技术支持或开发人员等。详细介绍：1、检查Token是否过期，登录Token通常会设置有效期，一旦超过有效期，就会被认为无效等等。

登录token无效问题如何解决Sep 14, 2023 am 10:57 AM

登录token无效问题可以通过检查网络连接、检查token有效期、清除缓存和Cookie、检查登录状态、联系应用程序开发者和加强账号安全来解决。详细介绍：1、检查网络连接，重新连接网络或者更换网络环境；2、检查token有效期，重新获取一个新的token，或者联系应用程序的开发者；3、清除缓存和Cookie，清除浏览器缓存和Cookie，然后重新登录应用程序；4、检查登录状态。

SpringBoot怎么通过Feign调用传递Header中参数May 16, 2023 pm 08:38 PM

【SpringBoot】通过Feign调用传递Header中参数如何通过Feign传递Header参数问题描述我们在SpringCloud中使用Feign请求另一个服务的Api接口时，有将Header中参数传递下去的需求，如果不做特殊处理，就会将Header中的参数丢失。解决方案方案一：通过@RequestHeader(name="headerName")来传递例如：Feign定义如下@FeignClient(name="service-name")pub

linux的header是什么意思Jul 18, 2023 pm 03:34 PM

linux的header是指在文件或数据流中的开头部分，用于包含关于内容的元数据，通过正确地编写和使用Header文件，开发者能够更好地利用系统资源，提高代码的可读性和可维护性。

Redis存储用户token问题怎么解决May 31, 2023 am 08:06 AM

Redis存储用户token在设计类似电商的系统时，一个常见的需求是每个页面都需要携带登录用户信息。常见的解决方法有两种：使用cookie保存使用JWT保存但如果系统中使用了Redis缓存，那么还可以有第三种解决方案–将用户token缓存在Redis中。登陆时生成一个token存入Redis//生成一个token对象,保存在redis中redisTemplate.opsForHash().put("token","user",user)

Vue3+Vite怎么使用双token实现无感刷新May 10, 2023 pm 01:10 PM

一、token登录鉴权jwt：JSONWebToken。是一种认证协议，一般用来校验请求的身份信息和身份权限。由三部分组成：Header、Hayload、Signatureheader：也就是头部信息，是描述这个token的基本信息，json格式{"alg":"HS256",//表示签名的算法，默认是HMACSHA256（写成HS256）"type":"JWT"//表示Token的类型，JWT令牌统一写为JWT}pa

让机器人学会咖啡拉花，得从流体力学搞起！CMU&MIT推出流体模拟平台Apr 07, 2023 pm 04:46 PM

机器人也能干咖啡师的活了！比如让它把奶泡和咖啡搅拌均匀，效果是这样的：然后上点难度，做杯拿铁，再用搅拌棒做个图案，也是轻松拿下：这些是在已被ICLR 2023接收为Spotlight的一项研究基础上做到的，他们推出了提出流体操控新基准FluidLab以及多材料可微物理引擎FluidEngine。研究团队成员分别来自CMU、达特茅斯学院、哥伦比亚大学、MIT、MIT-IBM Watson AI Lab、马萨诸塞大学阿默斯特分校。在FluidLab的加持下，未来机器人处理更多复杂场景下的流体工作也都

See all articles