1, token authorization authentication to prevent unauthorized users from obtaining data;
2. Timestamp timeout mechanism;
3. URL signature to prevent the request parameters from being tampered with;
4. Prevent replay, prevent the interface from being requested for the second time, and prevent collection;
5. Use HTTPS communication protocol to prevent plaintext data transmission;
If all the safety measures are used, it will be too complicated. In the actual project, you need to make a choice according to your own situation. For example, we can only use the signature mechanism to ensure that information will not be tampered with, or we can only use the token mechanism when providing targeted services. How to choose depends on the actual situation of the project and the requirements for interface security.
HTTP protocol is stateless. Once the request is over, the connection is disconnected. The next time the server receives a request, it won't know which user sent the request. However, for modules with access restrictions, state management is needed, so that the server can accurately know which user initiated the HTTP request and judge whether it has the right to continue the request.
The design scheme of Token is that after the user logs in with the user name and password at the client, the server will return a Token to the client and store the Token in the cache (usually Redis) in the form of key-value pairs. Subsequent clients will take this token to all operations that need to authorize the module, and the server will verify this token after receiving the request. If the token exists, it means that it is an authorized request.
Design requirements for token generation:
1, the application must be unique, otherwise there will be authorization confusion, and user A will see the data of user B;
2. The token generated each time must be different to prevent being recorded, and the authorization is permanent;
3. Generally, Token corresponds to the key and value of Redis to store the relevant cache information of this user, such as the user's ID;
4. To set the expiration time of the token, the client needs to log in again after the expiration to obtain a new token. If the validity period of the token is set short, the user will be required to log in repeatedly, and the experience will be poor. We generally use the method that the client logs in silently after the token expires. When the client receives the expiration notice of the token, the client will log in silently in the background and use the locally saved username and password to obtain a new token. Another method is to create a separate interface to refresh the token, but we must pay attention to the refresh mechanism and security issues.
According to the requirements of the above design scheme, we can easily get Token=md5 (user ID+ login timestamp+server-side key) to obtain Token, because the user ID is unique in the application, and the login timestamp of each login is guaranteed to be different. The server-side key is a string (that is, salt) configured on the server-side to participate in encryption, which makes it more difficult to crack the token encryption, so be careful not to disclose it;
Every time a client requests an interface, it carries the timestamp of the current time. After receiving the timestamp, the server compares it with the current time. If the time difference is greater than a certain time (for example, 1 minute), the request is considered invalid. Timestamp timeout mechanism is an effective means to defend against DOS attacks.
Students who have written about Alipay or WeChat payment docking must be familiar with URL signatures. We only need to sign the plaintext parameters that were originally sent to the server, and then sign them again with the same algorithm on the server side. By comparing these two signatures, we can ensure that the corresponding plaintext parameters have not been tampered with by the middleman.
Signature algorithm:
1. First, the communication parameter buttons are sorted alphabetically and put into an array (usually, the requested interface addresses also need to be sorted and signed, so an extra url= is required =