0

I'm writing a rails web service and i would like to use authlogic for authentication, since this seems to be one of the most used and active authentication gem. Our clients should be abled to authenticate with their user credentials, so i deciced to use http basic auth (authenticate_or_request_with_http_basic) with ssl.

I would like to add some more security by replacing the original password for authentication by a hash of password, url and request time to ensure that a request can be used only in a short time window. Since webservice and client time are not synchronized, i have to send the client time besides the login credentials. How can i add the client date to the authentication header and read it using the authenticate_or_request_with_http_basic method?

4

1 回答 1

0

为什么需要将时间详细信息发送给客户?您可以存储身份验证服务器端的 TTL,并根据该 TTL 验证所有未来的请求。

成功的身份验证可能会导致向客户端发送一条消息,说他们有 xxx 分钟/天(TTL)来做他们需要做的事情。当 TTL 过期时,您的 Web 服务应该向客户端返回中性响应(就像身份验证尝试失败一样 - 以保护自己免受黑客攻击)。

最好不要乱用客户日期信息。如果他们机器上的日期有误怎么办?

更新:我仍然担心整个客户约会的事情。看看其他人如何使用 rails 实现 API

于 2012-07-09T10:05:06.127 回答