I suggest that, when the online validation succeeds, the server returns something that can be validated off-line - probably signed with a private key, for which the app has the public key (google public key cryptography) - this way, it can be validated locally, without the local copy having enough information to create a valid local validation token.
The local validation should have a start time and end time, and if for any reason the token is invalid, online validation should be done. If the token has recently (for a given value of recent) expired, and online validation fails, the system allows access, to give some grace time.
发布评论
评论(1)
我建议,当在线验证成功时,服务器返回可以离线验证的内容 - 可能用私钥签名,应用程序具有公钥(谷歌公钥加密) - 这样,它可以在本地进行验证,本地副本没有足够的信息来创建有效的本地验证令牌。
本地验证应该有开始时间和结束时间,如果由于任何原因令牌无效,则应进行在线验证。如果令牌最近(对于给定的“recent”值)已过期,并且在线验证失败,系统将允许访问,并给予一定的宽限时间。
I suggest that, when the online validation succeeds, the server returns something that can be validated off-line - probably signed with a private key, for which the app has the public key (google public key cryptography) - this way, it can be validated locally, without the local copy having enough information to create a valid local validation token.
The local validation should have a start time and end time, and if for any reason the token is invalid, online validation should be done. If the token has recently (for a given value of recent) expired, and online validation fails, the system allows access, to give some grace time.