Detailed explanation of app interface token

1. First of all, let’s talk about what an interface is: Simply put, an interface is a bridge used by the server to return data to other programs or clients

2. The function of the interface: return according to fixed parameters Fixed data, for example, if the client passes a=1, then the server will return a's name, if the client passes a=2, the server will return a's gender, but will not return other data.

3. The role of signature: to ensure the security of interfaces and data

4. The role of token: the same as the PC login session, as the only ticket for user entry

For example: the interface between the app and the server, the interface between different programs between java and php, these interfaces generally transmit data in json format

So in order to ensure the relative security of data transmission between the mobile terminal and the server, the interface needs to be encrypted Transmission

1. Design purpose of token:
Because the APP side does not have the same session mechanism as the PC side, it cannot determine whether the user is logged in and cannot maintain the user status, so a mechanism is needed to achieve this. Session, this is the role of token. The token is the only ticket for the user to log in. As long as the token sent by the APP is consistent with the server, it can prove that you have logged in (just like when you go to a movie, you need to buy a ticket, just hold the ticket) Can enter)

2. Types of token design:
(1) Third-party login type: This token is shaped like WeChat’s access_token. The design principle is based on OAuth2.0. Its characteristics It is refreshed regularly (for example, refreshed every two hours). The purpose is because when the data source gives login permission to a third-party server, it must control its validity period and permissions. Otherwise, the third-party server can obtain users from the data source server indefinitely without the user's consent. Arbitrary data

(2) APP self-use login type: This kind of token is the token used by general APPs. Because it does not go through a third party, but the user directly obtains the data source server data, so the design is more casual, and only needs Just ensure the uniqueness of its token

3. Implementation steps for APP self-use login token:
(1) Add the token field and time_out token expiration time field to the database user table
(2) User login (also required for automatic login during registration) generate a token and the expiration time and store it in the table
(3) Before calling other interfaces, judge whether the token is correct. If it is correct, continue, if it is wrong, let the user log in again

4. APP self-use login token implementation code (company’s self-use framework and logic, mainly depends on the logic, do not copy the code directly):

（1）//下面是用户登陆时把token插入数据库的代码
$logininfo['token'] = appuser::settoken();
$time_out = strtotime("+7 days");
db::setByPk('u_adver', array('token1' => $logininfo['token'], 'time_out' => $time_out), $logininfo['id']);


（2）//下面是生成token方法代码
    public static function settoken()
    {
        $str = md5(uniqid(md5(microtime(true)),true));  //生成一个不会重复的字符串
        $str = sha1($str);  //加密
        return $str;
    }

（3）//下面是每个接口都必须调用的token验证代码，验证具体实现是在（4）
$args['token'] = $_POST['token'];
$tokencheck = appuser::checktokens($args['token'], 'u_adver');
        if ($tokencheck != 90001)
        {
            $res['msg_code'] = $tokencheck;
            v_json($res);
        }


（4）//token验证方法，db::是数据库操作类，这里设置是token如果七天没被调用则需要重新登陆（也就是说用户7天没有操作APP则需要重新登陆），如果某个接口被调用，则会重新刷新过期时间
    public static function checktokens($token, $table)
    {
        $res = db::getOneForFields($table, 'time_out', 'token1 = ?', array($token));
        if (!empty($res))
        {
            if (time() - $res['time_out'] > 0) 
            {
                return 90003;  //token长时间未使用而过期，需重新登陆
            }
            $new_time_out = time() + 604800;//604800是七天
            if (db::setWhere($table, array('time_out' => $new_time_out), 'token1 = ?', array($token)))
            {
                return 90001;  //token验证成功，time_out刷新成功，可以获取接口信息
            }
        }
        return 90002;  //token错误验证失败
    }

Related recommendations:

PHP WeChat Methods for public accounts to verify tokens, reply content, and push messages

PHP development APP interface video tutorial

Share about writing php app interfaces and return json data example

The above is the detailed content of Detailed explanation of app interface token. For more information, please follow other related articles on the PHP Chinese website!