Current location - Quotes Website - Signature design - Processing of single sign-on token
Processing of single sign-on token
The security of API interface is mainly to ensure that data will not be tampered with and repeatedly called. The implementation scheme is mainly designed around three mechanisms: token, timestamp and signature.

1. Token authorization mechanism

After the user logs in with user name and password, the server returns a Token (which must be unique and can be identified by UUID and local device) to the client, and stores the Token-UserId in the cache server in the form of key-value pair (we use Redis), and sets the expiration time. The server verifies the token after receiving the request. If the token does not exist, the request is invalid. A token is a certificate for a client to access the server.

2. Timestamp timeout mechanism

The user carries the timestamp of the current time in each request, and the server compares the timestamp with the current time after receiving the request. If the time difference is greater than a certain time (for example, 30 seconds), the request is considered invalid. Timestamp timeout mechanism is an effective means to prevent repeated calls and data grabbing.

Of course, what needs attention here is to ensure that the "current time" of the client and the server is consistent. The alignment method we adopt is that when the client connects to the server for the first time, it requests an interface to obtain the current time of server A 1, and then performs differential calculation (A1-B 1 = AB) with the current time of client B1to get the difference AB, and then the client,

3.API signature mechanism

Encrypt "API parameters of the request"+"time stamp"+"salt" with MD5 algorithm, and the encrypted data is the signature of this request. After receiving the request, the server obtains the signature through the same algorithm and compares it with the current signature. If it is not the same, it means that the parameters have been changed, and the error identification is returned directly. The signature mechanism ensures that the data will not be tampered with.

4. Preventive measures

5. Summary of safety and security

Under the above mechanism,

If someone hijacks the request and modifies the parameters in the request, the signature will not pass;

If someone uses the hijacked URL for DOS attack and data capture, then he can only use 30s at most;

What if the signature algorithm is leaked? The possibility is very small, because the "salt" value here is only known to ourselves.

Related articles
  • Why is the parrot's mouth so big?
  • Couple's signature is simple and sweet, meaningful and nice.
  • Campus flea market planning book
  • letter of admission
  • Krystian zimerman's introduction.
  • How to write a safety risk assessment report for cosmetics registration
  • My Samsung mobile phone is locked. What should I do if I can't read it?
  • How to improve the enthusiasm of primary school students in learning Chinese
  • What's the most convenient way to get from Shenzhen to Macau?
  • What's the difference between personalized signature and personal statement?

    • copyright 2024 Quotes Website All rights reserved