1. Token authorization mechanism. After the user logs in using the username and password, the server returns the Token to the client.
2. Timestamp timeout mechanism, each user request will bring the current timestamp timestamp.
After the server receives the timestamp, it compares it with the current time. If the time difference is greater than a certain time (for example, 5 minutes), the request is considered invalid. The timestamp timeout mechanism is an effective means to defend against DOS attacks.
3. Signature mechanism.
Add other request parameters to the Token and timestamp, and then encrypt them with the MD5 or SHA-1 algorithm.
Example
/** * @desc Accept parameter processing */ private function dealParam(){ //Accept header parameters--system parameters $systemParam=getAllHeadersParam(); //Accept body data--business parameters (json format) $data=file_get_contents('php://input'); //Read the private key information in the configuration file $api_apiKey=C('api_apiKey'); $privatekey=$api_apiKey[$systemParam['token']]; $arr['token'] =$systemParam['token']; //The identifier assigned by the server (different clients need to use different identifiers) $arr['timestamp']=$systemParam['timestamp']; //Time stamp, UTC time, based on Beijing time East Eighth District (+8) $arr['version'] =$systemParam['version' ]; //Version number $arr['sign'] =$systemParam['sign']; //Signature $arr['source'] =$systemParam['source']; //Source (0-Android/1 -IOS/2-H5/3-PC/4-php/5-java) $arr['data'] =json_decode($data,true); //Business parameter json format $arr['method'] =$data['method']; //Access interface, format: model name.method name return $arr; }
The above are the three mechanisms of PHP interface security. I hope it will be helpful to everyone. More PHP learning guide: source code network