为 Laravel 4 RESTful API 身份验证实现令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18863236/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Implement token for Laravel 4 RESTful API authentication
提问by davidcoder
I'm a beginner to Laravel 4 framework and PHP.
我是 Laravel 4 框架和 PHP 的初学者。
Currently, I'm trying to do a simple authentication process between client application and server.
目前,我正在尝试在客户端应用程序和服务器之间进行简单的身份验证过程。
Below is my planned approach:
以下是我计划的方法:
Client logs in to server via GET request with username and password.
Server validates and returns a token string if successful. The token string will be encoded (hashed?) with the username, password and expiration time.
Client submits a request, including the given token. Server will validate token (decode it -> check username/password and expired time). If successful, it will process the client's request.
客户端使用用户名和密码通过 GET 请求登录到服务器。
如果成功,服务器验证并返回令牌字符串。令牌字符串将使用用户名、密码和到期时间进行编码(散列?)。
客户端提交一个请求,包括给定的令牌。服务器将验证令牌(解码它 -> 检查用户名/密码和过期时间)。如果成功,它将处理客户端的请求。
What is the best way to generate the token with the above parameters given, and decode it at the server side?
使用给定的上述参数生成令牌并在服务器端对其进行解码的最佳方法是什么?
Thank you, and I appreciate your time and help.
谢谢,我感谢您的时间和帮助。
回答by Martin Komara
I don't think it is good idea to store user name and password encoded in some kind of token. Instead generate random token after successful login and store data related to the token on server side.
我认为存储以某种令牌编码的用户名和密码不是一个好主意。而是在成功登录后生成随机令牌并将与令牌相关的数据存储在服务器端。
You may store record about each login into some table with columns token, user_id, valid_until.
After each request, look for token in the database, check if it is still valid and use user_idfor authentication.
您可以将有关每次登录的记录存储到某个包含token, user_id,列的表中valid_until。每次请求后,在数据库中查找令牌,检查它是否仍然有效并user_id用于身份验证。
You may think of token as one-time user and password, e.g. consider first 8 characters of token as temporary user name and the rest as password, if you feel uneasy about allowing access without password :)
您可以将令牌视为一次性用户和密码,例如,将令牌的前 8 个字符视为临时用户名,其余为密码,如果您对允许无密码访问感到不安:)
Also you may want to run some cron job to remove expired records from database every day or so.
此外,您可能希望每天运行一些 cron 作业来从数据库中删除过期的记录。
回答by rohitnaidu19
You can use JWT JSON web Tokens for authentication to eliminate sessions and cookies completely. Similar approach is used by Facebook. Once you login with email and pwd you get a Web Token so even if its hacked you can't get the pwd from it. You can set a time limit to expire the token.
您可以使用 JWT JSON Web Tokens 进行身份验证以完全消除会话和 cookie。Facebook 使用了类似的方法。一旦您使用电子邮件和密码登录,您将获得一个网络令牌,因此即使它被黑客入侵,您也无法从中获取密码。您可以设置使令牌过期的时间限制。
