This is quite a simple question - although one that is on my mind right now as I start my first real-world and quite grand (in terms of size) project.
这是一个非常简单的问题 - 虽然我现在正在思考这个问题,因为我开始了我的第一个真实世界和相当宏伟的(在大小方面)项目。
How would I go about verifying a user's identity (username and password) when the send an Ajax request via PHP? It seems like there is a simple solution: to send both the username and password as POST variables along with the others in the request but it seems to me that solution is quite inefficient (as it has to check in the database every single time a request is made and be quite redundant for different Ajax requests).
当通过PHP发送Ajax请求时,我将如何验证用户的身份(用户名和密码)?似乎有一个简单的解决方案:将用户名和密码作为POST变量与请求中的其他变量一起发送,但在我看来,解决方案效率很低(因为每次请求都必须检查数据库)对于不同的Ajax请求,它是完全冗余的。
I looked into how Twitter does their Ajax requests (such as for posting a new tweet) and I don't see them sending any authentication information in the request - but how do they know that it is in fact me, the owner of my profile, sending the Ajax request to post the new tweet?
我调查了Twitter如何处理他们的Ajax请求(例如发布新的推文),我没有看到他们在请求中发送任何身份验证信息 - 但是他们怎么知道它实际上是我,我的个人资料的所有者,发送Ajax请求发布新推文?
If it helps anyone come up with a great solution - I am using the JQuery AJAX library and the CodeIgniter PHP framework.
如果它能帮助任何人提出一个很好的解决方案 - 我正在使用JQuery AJAX库和CodeIgniter PHP框架。
Thanks!
谢谢!
2 个解决方案
#1
5
Ajax requests are exactly the same as any other HTTP request. Whether it's done via JavaScript or by typing a URI into your browser's address bar, they are all HTTP requests.
Ajax请求与任何其他HTTP请求完全相同。无论是通过JavaScript还是在浏览器的地址栏中输入URI,它们都是HTTP请求。
You are right that sending the username and password over HTTP is the wrong solution. However, sending the username/password is usually necessary once but this should only be done on HTTPS, so that it isn't sent as plain text. Once authenticated, you can store the user ID in a server-side session variable for access in future requests.
你是对的,通过HTTP发送用户名和密码是错误的解决方案。但是,通常需要发送一次用户名/密码,但这只能在HTTPS上完成,因此不会以纯文本形式发送。经过身份验证后,您可以将用户ID存储在服务器端会话变量中,以便在将来的请求中进行访问。
A little pseudo-code to help you along the way:
一个小伪代码可以帮助您:
if(!empty($_SESSION["userId"])) {
// User is authenticated. Do something.
}
else if(!empty($_POST["username"])) {
// User is attempting to log in. Check against database.
$userId = getUserIdByUsernamePassword($_POST["username"], $_POST["password"]);
// Store user id in session variable.
if($userId > 0) {
$_SESSION["userId"] = $userId;
}
}
else {
// User is not authenticated.
}
A common pitfall is to store authentication in a cookie. Cookies are stored on the client side, so if you do it this way anyone could forge authentication by creating their own cookies.
常见的缺陷是将身份验证存储在cookie中。 Cookie存储在客户端,因此如果您这样做,任何人都可以通过创建自己的cookie来伪造身份验证。
Using session variables in PHP, a cookie is used, however it doesn't identify the user at all, rather identifies the connection between the client and the server.
在PHP中使用会话变量,使用cookie,但它根本不识别用户,而是识别客户端和服务器之间的连接。
But to successfully authenticate real-world projects, session cookies should not be relied upon. Rather, a combination of a session variable, a UUID cookie and a salted hash cookie can increase integrity of authentication... but this is another topic altogether.
但要成功验证实际项目,不应依赖会话cookie。相反,会话变量,UUID cookie和盐渍哈希cookie的组合可以提高身份验证的完整性......但这完全是另一个主题。
#2
0
I think the best way (and maybe only way) to do this is to have the file that is being requested via ajax check that the user is logged in (via something like a session). I wouldn't advise sending the details with the request, since they will be in the source code somewhere which is typically not desired.
我认为执行此操作的最佳方式(也许是唯一的方法)是让通过ajax请求的文件检查用户是否已登录(通过类似会话的方式)。我不建议发送请求的详细信息,因为它们将在某些通常不需要的源代码中。
#1
5
Ajax requests are exactly the same as any other HTTP request. Whether it's done via JavaScript or by typing a URI into your browser's address bar, they are all HTTP requests.
Ajax请求与任何其他HTTP请求完全相同。无论是通过JavaScript还是在浏览器的地址栏中输入URI,它们都是HTTP请求。
You are right that sending the username and password over HTTP is the wrong solution. However, sending the username/password is usually necessary once but this should only be done on HTTPS, so that it isn't sent as plain text. Once authenticated, you can store the user ID in a server-side session variable for access in future requests.
你是对的,通过HTTP发送用户名和密码是错误的解决方案。但是,通常需要发送一次用户名/密码,但这只能在HTTPS上完成,因此不会以纯文本形式发送。经过身份验证后,您可以将用户ID存储在服务器端会话变量中,以便在将来的请求中进行访问。
A little pseudo-code to help you along the way:
一个小伪代码可以帮助您:
if(!empty($_SESSION["userId"])) {
// User is authenticated. Do something.
}
else if(!empty($_POST["username"])) {
// User is attempting to log in. Check against database.
$userId = getUserIdByUsernamePassword($_POST["username"], $_POST["password"]);
// Store user id in session variable.
if($userId > 0) {
$_SESSION["userId"] = $userId;
}
}
else {
// User is not authenticated.
}
A common pitfall is to store authentication in a cookie. Cookies are stored on the client side, so if you do it this way anyone could forge authentication by creating their own cookies.
常见的缺陷是将身份验证存储在cookie中。 Cookie存储在客户端,因此如果您这样做,任何人都可以通过创建自己的cookie来伪造身份验证。
Using session variables in PHP, a cookie is used, however it doesn't identify the user at all, rather identifies the connection between the client and the server.
在PHP中使用会话变量,使用cookie,但它根本不识别用户,而是识别客户端和服务器之间的连接。
But to successfully authenticate real-world projects, session cookies should not be relied upon. Rather, a combination of a session variable, a UUID cookie and a salted hash cookie can increase integrity of authentication... but this is another topic altogether.
但要成功验证实际项目,不应依赖会话cookie。相反,会话变量,UUID cookie和盐渍哈希cookie的组合可以提高身份验证的完整性......但这完全是另一个主题。
#2
0
I think the best way (and maybe only way) to do this is to have the file that is being requested via ajax check that the user is logged in (via something like a session). I wouldn't advise sending the details with the request, since they will be in the source code somewhere which is typically not desired.
我认为执行此操作的最佳方式(也许是唯一的方法)是让通过ajax请求的文件检查用户是否已登录(通过类似会话的方式)。我不建议发送请求的详细信息,因为它们将在某些通常不需要的源代码中。