mysql - 【php】关于php开发app接口的问题，求有经验的大神解答

Question

php开发app接口，用户登录问题

情况是这样的，之前的用户登录接口，登录成功以后服务器不存session，可能在app那端存着吧。所以即便用户登录成功，在调某些接口的时候，需要user_id还是要当作参数传递过去，而不是从服务器的 session里获取。

今天想修改登录注册的接口，我同事说app接口没有session的概念，但是我总觉得应该有其他方式将用户会话存在服务器。

所以我想请教各位大神：

1. php开发app接口有没有`session`的概念？
2. 如果没有，用户会话是怎么处理的？就是当前是否在登录状态

谢谢大家！

Answer 1

You can take a look at jwt
Self-contained: The payload contains all the information needed by the user

Answer 2

I set the token and expiration time, and use the token to verify

Answer 3

First, you create a login interface. The app calls this interface. After you verify the username and password passed by it, return a token to it.

Token you create a table to save, and the table stores user_id token expire_data and other fields. Note that token and user_id are unique.

Every time he requests other interfaces in the future, he only needs to bring this token to you, and you can verify the token.

The passed token is encrypted/expired/guaranteed to be unique, which is basically it.

Answer 4

1. The request header contains the user username 和 password ，到服务器端做验证，通过才继续下边业务逻辑。
优点：防止了服务器端 api and is called at will.
Disadvantages: The username and password are exchanged every time, the amount of interaction is large, and the clear text transmission of the password is unsafe.

2. The first request requires username and password. After verification, cookie is sent to the client, username 和 password ，验证通过，发送 cookie 到客户端， app 保存 cookie 值。
每次请求带上 cookie。
优点：和 pc Save cookie< /code> value.

Bring cookie with every request.

Advantages: The principle of browser authentication on pc is the same.
appOn the above two points, only registered users can have access to business logic.

And some

have a large number of APIs that do not require registration datatoken
3. Develop a

generation rule to generate a random string based on some common attributes shared by both the server and the client. The client generates this string, and the server verifies this string upon receiving the request.

Disadvantage: The random string generation rules must be kept confidential.

采纳答案

If my answer solves your problem, please click

🎜🎜

Answer 5

It can be done like this. Different users obtain different tokens through the authorization interface, set the expiration time for the token, let the client put the token in the header for each request, and update the token regularly

Answer 6

Use token to replace the traditional session_id stored in the client cookie, and then the token is used as the key name in databases such as redis, and the key value is the user uid, and the session_id can be simulated through the built-in expiration mechanism

Answer 7

Our company has token and expiration time. Every time you log in, the token will be refreshed

Answer 8

This is what I asked on our site when I was in doubt

1. Your colleague said that the app does not have the concept of session, I don’t think it is accurate! I hope my previous questions are helpful to you!

Answer 9

Login is when the server generates a successful login ID and returns it to the client. The client request brings the login ID, and the server verifies the user information by logging in

Answer 10

The safe thing to do is access_token. For this point, you can take a look at WeChat’s API interface;

The simple way isuser_id;