发表新帖
发表新帖

PHP - Passing data from a site to another site securely

后端 未结
关注
3 1476
走了就别回头了
走了就别回头了 2021-02-06 06:20

I have a site that can take requests from multiple sites. Sort of like a upgrade check. These sites will send info like user names, passwords, app version etc, then my site will

3条回答
  • 心在旅途
    心在旅途 (楼主)
    2021-02-06 07:07

    Well, I would highly suggest not sending the username / password across plain text under any circumstance (even when under SSL). Instead, I'd suggest using a Digest form of authentication.

    Instead, I would suggest generating a large authentication token (a random string of large size, 128 characters would work). Then, the users would install this "token" in their app.

    Now, when the app checks for updates, it first fires a request to your server asking for a digest token. This is a random, one time use token that's only used for exactly one request. Your application should generate a token, store it in a durable format (file, memory, database, etc) along with the timestamp, and then send it back.

    Now, your application receives this digest token (called $dt here). Then, you hmac it with the pre-configured authentication token that was already given.

    $authBit = $username . ':' . $authToken;
$hash = hash_hmac('sha256', $authBit, $digestToken);
$authField = $username . ':' . $hash . ':' . $digestToken;

    Then, you send the $authField to the server. The server will then split the parts:

    list ($user, $hash, $digestToken) = explode(':', $authField);

    Now, you first lookup the user's authentication token in the database and store it in $authToken. Then, you lookup the $digestToken to make sure that it exists and that it was created less than 60 seconds ago (you can adjust this if it's too short, but don't make it significantly longer). Either way, delete it from the db at this point (to prevent it from being reused).

    Now, if the $digestToken exists and is valid, and you can find a $authToken, then just do the following check:

    $stub = $user . ':' . $authToken;
if ($hash == hash_hmac('sha256', $stub, $digestToken)) {
    //valid user
} else {
    //Not valid
}

    It has the benefit of changing the sent token each and ever single http request (anyone reading the request stream won't be able to get any sensitive information from the request, other than the username which you could mask further if you'd like)...

    0 讨论(0)
 看不清?
提交回复
热议问题