1

我正在开发具有以下身份验证样式的 RESTful(ish) API:

  • 客户端调用“身份验证”API 方法并通过 HTTPS POST 传递用户名和密码。此方法返回基本帐户信息和一个“客户令牌”,该令牌存储在数据库中的用户帐户上。

  • 所有进一步的 API 调用(全部通过 HTTPS POST)都需要客户端令牌。如果系统无法通过客户端令牌找到请求者,则呼叫被拒绝。

我的未决问题是: 1) 有没有人认为这是一个重大的安全问题?2) 我应该让客户端令牌随时间过期或更改有什么好的理由吗?现在我为每个用户分配一个随机的。如果用户注销或忘记密码,我会生成一个新密码。

我很想知道大家对这种方法的看法。我不追求创新,我只是让我意识到这种方法的风险。

4

1 回答 1

3

What you've described is functionally equivalent to a session cookie, only reimplemented in your application, and therefore subject to a number of pitfalls that have likely already been dealt with by most web frameworks.

  • Ensure your tokens have enough bits of entropy. If the tokens are simple 32-bit integers, wild guesses might be enough to hit on one in use by someone else.
  • If you're generating these tokens randomly, ensure you use a cryptographically-strong source of random numbers, or the next token might be guessable based on previous tokens.
  • If these POST requests are coming from scripts and such embedded in web pages, passing the token around as an explicit parameter instead of as a cookie declared secure and httponly makes token-stealing by cross-site scripts much easier.
于 2012-09-18T02:55:05.047 回答