发表新帖
发表新帖

Implementing a token authentication

后端 未结
关注
2 2147
野趣味
野趣味 2021-02-10 22:42

Which are the steps must I follow to implement a token authentication in my web page?

Any summary or links will be appreciated.

I want to implement similar to F

2条回答
  • 情话喂你
    情话喂你 (楼主)
    2021-02-10 23:31

    You should think about your requirements, pick an appropriate protocol and some decent piece of software that implements it.

    It's really hard to say more without more details:

    • are you talking about authentication for one or for multiple web applications? do you need single sign on between different web applications?
    • should all user data be stored on your server or should user be able to login e.g. with the google account?
    • should the token contain informations about the user?
    • on what platform are your applications developed?
    • what authentication method should be used?
    • do you want to realize a portal?

    There is a really wide range of protocols and tools which might or might not fit to your requirements:

    http://en.wikipedia.org/wiki/Category:Authentication_methods

    http://en.wikipedia.org/wiki/Category:Identity_management_systems

    I personally like CAS ( http://www.jasig.org/cas) for token-base SSO between multiple web applications. It's Java based but also has some support for PHP and .Net.

    OpenID is fine, if you want to allow users to login with their Google, Yahoo, whatever account (configurable...) and don't want to store user information by yourself.

    Kerberos/SPNEGO is the way to go if you want to haven integrated windows-sso for your corporate intranet applications.

    For university applications SAML/Shibboleth probably is best. Outside universities it's somewhat less popular, probably cause it's a fairly complex protocol.

    Oh and I almost forget: Most of the web frameworks/standards have there own version of plain-old "form based authentication". Where a user goes to a login form enters its username and password. Both are with or without SSL transported to the web/application server. The server validates it against some kind of database and gives a cookie to the user, which is transmitted and validated every time the user sends a request. But beside all this shiny protocols this seems to be pretty boring :-)

    And before doing anything with web authentication, you might think for a moment about web security in general ( http://journal.paul.querna.org/articles/2010/04/11/internet-security-is-a-failure/ http://www.eff.org/files/DefconSSLiverse.pdf) and what you can do to not make it even worse on your site ( http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf).

    0 讨论(0)
 看不清?
提交回复
热议问题