api 接口安全 篇
// sign time token public function checkapi(){ $sign= $_GET['sign']; // 客户端加密 md5($token.$time) $token = $_GET['token']; // 客户端传递token $time = $_GET['time']; // 客户端传递当前请求的时间 if(!isset($_SESSION['user_id'])){ echo json_encode(['code'=>400,'msg'=>'请先登录']);exit; } if( !isset($_SESSION[$token]) || $_SESSION[$token]!=$_SESSION['user_id']){ echo json_encode(['code'=>400,'msg'=>'token 验证不通过']);exit; }; if((time()-$time)>100){ echo json_encode(['code'=>400,'msg'=>'时间过得太久啦,请返回上一步重新请求']);exit; } if($sign!=md5($token.$time)){ echo json_encode(['code'=>400,'msg'=>'错误的签名']);exit; } }
public function login(){ $name = $_POST['name']; $password = $_POST['password']; $user_id=$this->_dologin($name,$password); if($user_id){ // 登录成功 $token = md5($user_id.rand(0,9999)); //生成token 保持唯一 $_SESSION['user_id'] = $user_id; $_SESSION[$token] = $user_id; echo json_encode(['code'=>200,'msg'=>'login success','token'=>$token]);exit; // 客户端保存token }else{ // 登录失败 echo json_encode(['code'=>400,'msg'=>'login error']);exit; // 客户端保存token } //if() }