rest - Security PHP RESTful API -

-

I am starting to develop a simple PHP Rasool API. After reading some tutorials, one of the features about the rest is that

"... is the statelessness key. Basically, what does it mean that the state needed to handle the request The implied URI, the query string parameters, the body or the request of itself as part of the header "

So, does that mean that my PHP server will not need to be $ _SESSION? What kind of approach do you suggest? Using a token (valid for a short period of time) in the URL does not seem to be a bit insecure? For example, www.myapi.com/1233asdd123/get_user/12

Many thanks.

If you are a web developer of any kind, you might have heard this sentence 1000 times: " HTTP is a stateless protocol "This means that each session works with a token between the server and the client.

When you use PHP's built-in sessions, the server is actually doing this exactly, even if you do not realize it: It generates a session_id and sends it to the client. The client sends back session_id tokens normally on a cookie; PHP allows to include session token on URL as GST parameter, but I personally recommend (disabled by default on PHP 5.3 +).

In your case, yes, you will not use PHP session.
You create a table while storing all session tokens and associated sessions in your database.

A token should have a short life span (for example, 30 minutes) and it should be refreshed repeatedly Refresh is not only important to extend the life of the session (each refresh you 30 minutes Or more than that), but also helps fight against the theft of session key. In some rest servers we have created a session token for 30 minutes and users will first request a new pen How is that done after the start of the 10 minute session. When a new token is sent to the client, the old is instantly invalidated.

You can pass tokens to the server in some way, but adding it as a GET parameter is not an ideal solution for two reasons: 1. GET parameter is often written in the server's log entry And 2. Users often copy / paste URLs and share them, and that can expose their session token.
For API Servers, the best way to include sessions is tokens in one of the headings of the HTTP request, for example, you can set your authorization headline: Authorization: session token 123123123 Use your authorization method where you have your token and session token is a string to tell the server (you are free to choose your own name, Unless it is anyhow Mr. default methods like Basic is not, however, be consistent!).

Security APIs are usually obtained on the server using SSL. In fact, if you have an API server, then you should protect it from HTTPS (SSL).
There are ways to get security even without using SSL, but they need to sign every request and it is really complex to implement and use - and overhead they could possibly be one of SSL Compared in comparison.

Comments

Post a Comment

Popular posts from this blog

java - ImportError: No module named py4j.java_gateway -

-
I'm trying to call the Python using the Java program py4j . I've been installing the plug-in Eclipse and test name Piidvi project. I'm trying to execute the following part of the code found on py4j webpage: Import from py4j.java_gateway to JavaGateway, java_import gateway = JavaGateway () jvm = gateway.jvm java_import (jvm, '' Org.eclipse Kkorkrisorsej. * ") Vrkspes_rut = Jvankresourkesplginkgetvrkspas (). GetRoot (Gateway .help (workspace_root, '* Projects *') project_names = [project.getName () (for projects workpace_root.getProjects))] print (Projekt_nam) But I There is an error in import. I have checked that the P4JJ is present in the Jar Eclipse plugin directory. Can anyone help please? I had to install the py4j application
Read more

python - Receiving "KeyError" after decoding json result from url -

-
I am new to Python I am trying to parse JSON result from a URL. Basically, I was using the following: response = urllib.request.urlopen (url) json_obj = json.load (response) It should be a stroke "str 'not' bytes' in the lines of a given" JSON object, so after searching on the StackoverView Flo, I decode the response in this way: F = urllib.request.urlopen (Url) charset = f.info (). Get_param ('charset', 'utf8') data = f.read () decoded = json.loads (data.decode (charset)) If I print "decode" I is as follows: { 'link': { 'summary data': 'https: // localhost / piwebapi / streams / p0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTExNQU42NDIwXFNJTlVTT0lE / summary' 'value': 'https: // localhost / Piwebapi / streams / P0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTExNQU42NDIwXFNJTlVTT0lE / price ',' InterpolatedData ':' https: // localhost / Piwebapi / streams / P0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTE...
Read more

.net - Creating a new Queue Manager and Queue in Websphere MQ (using C#) -

-
"itemprop =" text "> I am writing applications that use WebSphere MQ to send messages. My unittests (for flow), I want to verify that I have put the correct message on the response queue. I am trying to figure out how to do this. My main obstacle is that I think it might be scary to clear the queue before running in my queue because the same queue can be used by other applications, I thought a decent solution would be a new line The manager will remove the queue for my solidarity and after using it. So my question is: Is it possible to use C # by using queue manager and queue? After the For future reference and future people, who want to make queues. I thought how to make and remove IBM MQ QE (not quenhers) with PCM messaging. It is not very simple, but it can be done. We have implemented it in a library and it is being used to create and delete commands before and after integration tests. The most important part of the code in this library is shown in the...
Read more