Detailed explanation of token in php interface

This article mainly shares with you the detailed explanation of the token of the PHP interface, hoping to help everyone. Let’s first take a look at the summary of interface characteristics:

Summary of interface characteristics:

1. Because it is non-open, all interfaces are closed and only available to internal users of the company. The product is valid;

2. Because it is non-open, the OAuth protocol is not feasible because there is no intermediate user authorization process;

3. Some interfaces require users to log in to access. ;

4. Some interfaces can be accessed without user login;

PHP Token(Token)

In view of the above characteristics, the mobile terminal and Server-side communication requires 2 keys, namely 2 tokens.

The first token is for the interface (api_token);
The second token is for the user (user_token);

Let’s talk about the first one first token (api_token)

Its responsibility is to maintain the concealment and effectiveness of interface access and ensure that the interface can only be used by its own family. How to do this? The reference idea is as follows:
Generate a random string based on the common attributes shared by both the server and the client. The client generates this string, and the server also generates a string based on the same algorithm to verify the client's string.

The current interface is basically MVC mode, and the URL is basically restful style. The general format of the URL is as follows:
http://blog.snsgou.com/module name/controller name/method name?parameter name 1=Parameter value 1&Parameter name 2=Parameter value 2&Parameter name 3=Parameter value 3
The interface token generation rules are as follows:
api_token = md5 ('Module name' + 'Controller name' + 'Method name ' + '2013-12-18' + 'Encryption Key') = 770fed4ca2aabd20ae9a5dd774711de2
where
1, '2013-12-18' is the time of the day,
2, 'Encryption Key' is Private encryption key. After the mobile phone needs to register an "interface user" account on the server, the system will assign an account and password. The data table design reference is as follows:
Field name field type comment
client_id varchar( 20) Client ID
client_secret varchar(20) Client (encryption) key

Server interface verification, PHP implementation process is as follows:

<?php   
// 1、获取 GET参数 值   
$module = $_GET[&#39;mod&#39;]; $controller = $_GET[&#39;ctl&#39;]   
$action = $_GET[&#39;act&#39;]; $client_id = $_GET[&#39;client_id&#39;];   
$api_token = $_GET[&#39;api_token‘];   
// 2、根据客户端传过来的 client_id ，查询数据库，获取对应的 client_secret   
$client_secret = getClientSecretById($client_id);   
// 3、服务端重新生成一份 api_token   
$api_token_server = md5($module . $controller . $action .  date(&#39;Y-m-d&#39;, time()) .  $client_secret);   
// 4、客户端传过来的 api_token 与服务端生成的 api_token 进行校对，如果不相等，则表示验证失败   
if ($api_token != $api_token_server) {   
    exit(&#39;access deny&#39;);  // 拒绝访问 } // 5、验证通过，返回数据给客户端    
?>

Let’s talk about the second token (user_token)

Its responsibility is to protect the user’s username and password from being submitted multiple times to prevent password leakage.

If the interface requires user login, the access process is as follows:
1. The user submits the "user name" and "password" to log in (if conditions permit, it is best to use https for this step);
2. After successful login, the server returns a user_token. The generation rules are as follows:
user_token = md5('user's uid' + 'Unix timestamp') = etye0fgkgk4ca2aabd20ae9a5dd77471fgf
The server uses a data table to maintain the status of user_token , the table design is as follows:
Field name field type annotation
user_id int user ID
user_token varchar(36) user token
expire_time int expiration time (Unix timestamp)

(Note: Only the core fields are listed, please expand the others!!!)

After the server generates the user_token, it returns it to the client (storage by itself), and the client makes every interface request If the interface requires user login to access, user_id and user_token need to be passed back to the server. After the server receives these two parameters, it needs to do the following steps:

1. Detect the validity of api_token property;

2. Delete expired user_token table records;

3. Get table records based on user_id, user_token. If the table record does not exist, an error will be returned directly. If the record exists, proceed to the next step. One step;

4. Update the expiration time of user_token (extended to ensure that continuous operations will not be dropped during its validity period);

5. Return interface data;

Interface usage examples are as follows:

Request method: POST
POST parameters: title=I am the title&content=I am the content
Return data:

{       'code' => 1, 
// 1:成功 0:失败      
'msg' => '操作成功' 
// 登录失败、无权访问     
 'data' => []
 }

How to prevent token hijacking?

There is definitely a problem of token leakage. For example, if I get your mobile phone and copy your token, I can log in as you elsewhere before it expires.
A simple way to solve this problem
1. When storing, symmetrically encrypt the token and store it, and then decrypt it when used.
2. Combine the request URL, timestamp, and token and add a salt signature, and the server verifies the validity.
The starting point of both methods is: it is easier to steal your stored data, but it is more difficult to disassemble your program and hack your encryption, decryption and signature algorithms. However, it is actually not difficult to say that it is difficult, so after all, it is an approach to guard against gentlemen rather than villains.

Related recommendations:

Instance method of PHP implementing Token

Detailed explanation of token in app interface

How to set the WeChat applet url and token

The above is the detailed content of Detailed explanation of token in php interface. For more information, please follow other related articles on the PHP Chinese website!