我一直在尝试围绕我要开发的 API 进行身份验证。
我试图想出一种方法来成功验证用户,记住用户可以访问客户端上的所有数据,我想出了这个想法。
Client sends username and password to the server
Server checks if they match a user.
If it does, we create a hashed string with user_id+e-mail+currentTime+salt
and stores this in a database-table with an expiration date.
Server returns hashed string to client
Client sends random request to server including key
Server checks if key is correct and if it's expired
这是一种安全的方法,还是您发现任何安全漏洞?