应用调用认证
我对 Flash 和其他网络技术的了解不是很好,但我想知道,拥有自己的应用程序 API 的网站(例如 Facebook)如何验证来自应用程序的调用?我不太熟悉 Facebook API,但 Vkontakte(类似站点)使用密钥、会话 ID 和方法参数来生成查询。为什么怀有恶意的人不可能在应用程序运行时计算出这些参数并通过更改数据包等方式发送完全不同的查询?我有点计划为 Vkontakte 编写一个应用程序,但我不明白这些应用程序是如何受到保护的。如果有人能给我推荐任何有关这些问题的文献,我也将非常感激。
my knowledge of flash and other web technologies isn't that good, but I was wondering, how do sites with their own API for applications (e.g. Facebook) authenticate calls from an application? I'm not really familiar with Facebook API, but Vkontakte (similar site) uses a secret key, session id and method parameters to generate a query. Why isn't it possible for someone with malicious intent to work out those parameters while the application is in runtime and send a totally different query by, say, changing packets? I was kinda planning on writing an application for Vkontakte but I don't understand how the applications are protected. I would also be very grateful if someone could recommend me any literature concerning these questions.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
安全性在于您的共享秘密永远不应通过网络传输。例如,对于 Facebook,您可以使用应用程序密钥来验证服务器上的 cookie。如果您没有在服务器上进行任何验证,那么您是正确的,因为访问令牌或其他内容不安全。然而,要记住的是,对于这些站点,访问令牌与单个用户相关联。因此,即使该人更改了 cookie 或其他任何内容,访问令牌仍然只有访问单个 Facebook 帐户的权限。所以这个人会对自己的帐户进行恶意操作。
因此,对于 flash 或 javascript 的情况,您始终假设访问令牌和 cookie 数据不安全。只有在验证 cookie 数据以确保 cookie 来自合法来源之后,您才必须在服务器上执行任何对安全至关重要的操作。我认为 vkontakte 的功能非常相似。
同样,最重要的是永远不要将您的密钥传输到服务器之外。
The security lies in the fact that your shared secret should never be transmitted over the web. With Facebook, for example, you use your app secret to validate a cookie on your server. If you aren't doing any validation on the server then you are correct in that the access token or whatever is not secure. However, the thing to remember is that with these sites an access token is associated with a single user. So even if that person changes the cookie or whatever the access token still only has permission to access the single facebook account. So the person would be doing malicious stuff to their own account.
So for the case of flash or javascript, you always assume the access token and cookie data are not secure. Anything that is security critical you would have to do on the server only after you validate the cookie data to ensure the cookie is from a legitimate source. I assume that vkontakte functions in a very similar way.
Again, the biggest thing is to never transmit your secret key outside of your server.