客户端api设计时这个返回的Acess_token是怎么保证验证安全的-PHP Tutorial-php.cn

Table of Contents

回复内容：

Home

Backend Development

PHP Tutorial

客户端api设计时这个返回的Acess_token是怎么保证验证安全的

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 08:14 PM

android api certification php

刚看了一份api验证流程

客户端提交账号信息（用户名+密码）到服务端
服务端验证成功，返回AccessToken给客户端存储
3.访问受限资源时，客户端带入AccessToken就可访问。

其中第一步如果是被抓包的连接请求是不是也会返回AcessToken
返回的AcessToken被抓包后也被恶意请求的连接带上是不是也会通过验证
主要是不知道被抓包后获得的这个相同的AcessToken也用来请求服务器是怎么样验证的
请大神指点,这个AcessToken是怎么起到作用的，起到了什么作用，给点细节

回复内容：

刚看了一份api验证流程

客户端提交账号信息（用户名+密码）到服务端
服务端验证成功，返回AccessToken给客户端存储
3.访问受限资源时，客户端带入AccessToken就可访问。

如果传输过程中是明文传输，那么公网上是能劫持到AccessToken的，这个AccessToken在一定时间范围内，不论在谁的手里，都有其对应的用户权限。AccessToken泄露就意味着短时间内用户部分权限泄露。

1、一般API接口都是2小时有效期，APP的则是几天不等。服务器规定。
2、AccessToken可以规定只有部分权限，比如AccessToken1只能查看和编辑用户照片，AccessToken2只能查看和编辑用户好友列表。AccessToken1泄露了顶多把照片丢了，但不会把用户好友信息泄露和破坏。

这个AccessToken你可以认为是为了替换【每次传输账号密码进行验证】这个方法而产生的新方法，因为每次传输账号密码进行验证更不安全，一旦泄露那么就相当于用户所有权限永久泄露（除非用户改密码）。而AccessToken泄露则是仅在AccessToken有效时间内泄露其规定的资源范围内的权限。

服务器端并不验证是好鸟还是坏鸟拿着这个AccessToken使用。退一步讲如果黑客拿着你的账号密码登陆，服务器难道还要给你发一条短信让你输验证码么？（至少现在支付宝连自己APP内部的异常登录提示都不给你发了）

想保证AccessToken的安全，必须由用户侧（这里指服务提供商，比如segmentfault）和Oauth2提供者（比如新浪微博、微信）同时保证，中间数据传输一定要密文的才行。一般都是使用https传输，靠Oauth2提供者的https证书保证安全。如果使用http明文传输，或者https被劫持并被用户侧忽略，则AccessToken被恶意盗取的可能性就陡增。但也由于AccessToken有其权限范围，一般劫到AccessToken也做不了什么，顶多就是改改个人信息，发个垃圾微博啥的？毕竟改密码等高级权限可能这个AccessToken上没有（也不一定，很可能微博很懒根本就没给AccessToken设置权限范围）

没什么作用，只是为了在别人不知道你的accesstoken机制的时候进行一步防范。抓包知道这回事以后，提交是可以自己修改的。进一步是需要加入一些参数签名方法，或者是参数整体加密的方法来防止篡改。

客户端和服务器会约定加密方式，AccessToken也会过期。

https双向加密可以防止别人抓到你网络传输的AcessToken，客户端在保存Token到本地的时候可以加密存储

你可以把 access token 理解为 web 下的 cookie，如果 cookie 被偷走了，其实也是不安全的。
对于中间人来说，用 https 就好。
对于终端上的攻击者，你得从业务流程上做好防范，比如限制接口调用频率，引入合理的加密增加攻击难度。

你把AcessToken看成一个常规web应用中登录以后session中存储的user_id，就算抓包抓到了，他也只是获得了一个用户的账号密码以及用户的所有信息，类似个人用户密码被盗，不至于拿到整站数据这种风险
AcessToken被抓包后也被恶意请求的连接带上是不是也会通过验证？
这个要取决于你的AcessToken生成规则，如果是简单的md5(user_id)那肯定不行，这样每个用户每次生成的AcessToken都一样了，所以需要保证每次生成以后响应给客户端的都是不一样的，然后存储在redis这种数据库中key=AccessToken，value=user_id，如果做的极致一点应该是要有失效时间的，失效了就重新发起请求获取AcessToken
关于验证问题，web客户端存cookie里,APP客户端存本地数据库，每次请求都带上，然后每次比对请求过来的accesstoken在redis中找对应的user_id值，然后服务端取到user_id进行数据获取操作

这个是基本的一个逻辑，其中应该还会牵涉业务，要根据实际情况来进行调整了

OAuth2规定API必须用https，获取到token没那么容易
Token是有过期时间的，通常不会很长

个人喜欢用Json Web Token，楼主可以去查查相关的资料

AccessToken？以前做微博那帮人抓取的经常去找weico的key来用...

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks ago By DDD

How to fix KB5055523 fails to install in Windows 11?

2 weeks ago By DDD

InZoi: How To Apply To School And University

4 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

2 weeks ago By DDD

Roblox: Dead Rails – How To Summon And Defeat Nikola Tesla

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7829

Java Tutorial

1648

CakePHP Tutorial

1402

Laravel Tutorial

1300

PHP Tutorial

1239

Related knowledge

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

How To Set Up Visual Studio Code (VS Code) for PHP Development Dec 20, 2024 am 11:31 AM

Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c

Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Apr 05, 2025 am 12:04 AM

JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,

PHP Program to Count Vowels in a String Feb 07, 2025 pm 12:12 PM

A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total

How do you parse and process HTML/XML in PHP? Feb 07, 2025 am 11:57 AM

This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an

Explain late static binding in PHP (static::). Apr 03, 2025 am 12:04 AM

Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.

What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases? Apr 03, 2025 am 12:03 AM

What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.

PHP and Python: Comparing Two Popular Programming Languages Apr 14, 2025 am 12:13 AM

PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.

See all articles