保护HTTP请求不被其他人调用
我有一个 Android 应用程序,我想将一些数据上传到我的网络服务器上的数据库。由于 MySql java 库的大小约为 5 mb,因此我不想将其包含在应用程序中。 因此,我将对 php 脚本发出 HTTP 请求,并以 URL 作为参数发送数据。我如何确保只有我可以调用它?我不希望人们嗅出 URL 并在我的应用程序之外调用它。
谢谢
I have an Android application from which I want to upload some data to a database on my web server. As the MySql java library has a size of about 5 mb, I don't want to include it with the application.
So I'll make a HTTP request for a php script and send the data with the URL as parameters. How do I make sure that only I can call this? I don't want people to sniff up the URL and call it outside my application.
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
使用简单的静态令牌来识别客户端是您自己或以提前的方式,首先使用用户名/密码进行身份验证,生成令牌并使用此令牌进行进一步的交易。此令牌可能会在一段时间后过期。
选项1:http://[您的请求网址]&key=xyz
其中 xyz 只有您知道
选项 2:首先使用用户名密码 ping 服务器,并在成功验证后获取动态令牌 [dKey],将其存储在本地。
然后提出进一步的要求。
http://[您的请求网址]&key=dKey。
通常遵循选项 2。
Use a simple static token to identify the client is yourself or in an advance way, first authenticate with a username/password, generate a token and use this token for further transactions .This token can expire after some time.
option1: http://[your request url]&key=xyz
where xyz is known only to you
option 2: first ping server with username password and upon successful validation get a dynamic token [dKey], store it locally.
then for further requests.
http://[your request url]&key=dKey.
option 2 is the one normally being followed.
简短的回答是:你无法阻止嗅探。
但是,您可以通过实现某种内部身份验证、GET/POST 预定义参数(或动态,但通过您只知道如何的算法计算)交换、隐藏标头字段等来使嗅探器的生活变得更加困难。
但是所有这些也可以被嗅探/逆向工程。
一种可能的过度杀伤方式是使用某种非对称私钥/公钥加密/签名。比如RSA。您的应用程序将仅包含公钥,并用它签署请求数据。并且您的服务器端将有一个秘密的私钥,它将用它来检查客户端请求的有效性。
The short answer: you cannot prevent sniffing.
But you can make sniffer's life harder by implement a some sort of internal authentication, GET/POST predefined parameters (or dynamic, but calculated by algorithm you only know how) exchange, hidden header fields, etc.
But all this could also be sniffed/reverse engineered.
A possible Overkill Way would be using some sort of asymmetric private/public key encryption/signature. Such as RSA. Your app will only include public key, and sign the request data with it. And your server-side will have a secret private key, it will use it to check validity of client requests.
我对 android 知之甚少 - 但这与问题无关。
如果您想防止某人嗅探 URL(以及身份验证详细信息?),那么唯一的选择是使用 SSL。另一方面,如果您只是想阻止其他人访问该 URL,那么这只是一个身份验证问题。如果您不使用 SSL,则意味着您需要使用会话和基于质询的身份验证来避免人们嗅探流量。您可以通过摘要身份验证或滚动您自己的代码来完成此操作。
C.
I know very little about android - but it's not really relevant to the question.
If you want to prevent someone from sniffing the URL (and authentication details?) then the only option is to use SSL. On the other hand if you merely want to prevent other people from accessing the URL, its simply a question of authentication. If you're not using SSL, then that means you need to use sessions and a challenge-based authentication to avoid people sniffing the traffic. You could do this via digest authentication or roll your own code.
C.