HTTP protocol is stateless
- Use cookie + session in the web technology to keep user login status
- Using the token to the mobile terminal user log-in status since the token remains in the transmission network, the intermediary is easily acquired, and thus the analog operation of the user-related
Solution:
- Service-Terminal
In response to a random string heads with CSRF_TOKEN = xxxxxxxxxxx (different for each request)
- Client
- The client and server to keep the key secret = yyyyyyyyy
- Client gets the response header CSRF_TOKEN next request must carry
- The client (secret + submission) to be signed
When users submit information to the server, first verify the signature data has been tampered with, followed by a token + random string matching, correctly perform the operation, refresh random string, even if it acquires the token is the middleman, no random string still could not do anything operation, and then get to the worst point middleman random string by intercepting response header, but the key is not compromised, there is no way to sign still can not perform the operation
Disadvantages:
the above solution only applies to APP end, the browser is not applicable, because no place to save the key
to sum up:
We are able to use HTTPS on HTTPS it!