发表新帖
发表新帖

How to ensure access to my web service from my code only?

前端 未结
关注
9 1920
天命终不由人
天命终不由人 2020-12-17 22:32

I am writing a very simple web service for my iPhone app. Let\'s say this is a http page that returns a random number at http://mysite/getRand. How do I ensure that this pag

相关标签:
9条回答
  • 予麋鹿
    2020-12-17 23:11

    To follow up on Simon's idea, you could very easily have a key string in your application, then send the device ID, and then the DeviceID XOR'ed (or some other simple algorithm for string encryption) with your key string.

    Since you know the key value to use, it's trivial for you to "decrypt" this string on the sever side and verify that the values match.

    This way, the password is different for each user's device, and the "key" string is never sent over the wires of the great unwashed internets. :-)

    Yes, this would by no means be impossible to figure out, but like others have said, the idea is not to make it impossible. The idea is to make it more trouble than it is worth.

    0 讨论(0)
  • 北海茫月
    2020-12-17 23:19

    As some of the answers have stated, closing your web service off to everyone else will be a major hassle. The best you can hope for is to make it easier for the hackers to use another web service, than to use yours...

    Another suggestion to do this, is to generate random numbers from a random seed on both the server and the client. The server would need to track where in the sequence of random numbers all of the clients are, and match that number to the one sent by the client.

    The client would also have to register to be given access to the server. This would also serve as a authentication mechanism.

    So:

    //Client code:
$sequence = file_get_contents('sequence.txt');
$seed = file_get_contents('seed.txt');
$sequence++;

//Generate the $sequence-th random number
srand($seed);
for ($i = 0; $i <= $sequence; $i++) {
    $num = rand();
}
//custom fetch function
get_info($main_url . '?num=' . $num . '&id' = $my_id);

    This will generate a request similiar to this:

    http://webservice.com/get_info.php?num=3489347&id=3

    //Server Code: (I'm used to PHP)

//Get the ID and the random number
$id = (int)$_REQUEST['id'];
$rand = (int)$_REQUEST['num'];
$stmt = $db->prepare('SELECT `sequence`, `seed` FROM `client_list` WHERE `id` = :id');
if ($stmt->execute(array(':id' => $id)) {
    list($sequence, $seed) = $stmt->fetch(PDO::FETCH_ASSOC);
}
$sequence++;

//Generate the $sequence-th random number
srand($seed);
for ($i = 0; $i <= $sequence; $i++) {
    $num = rand();
}
if ($num == $rand) {
    //Allow Access
} else {
    //Deny Access
}

    By using a a different seed for each client, you ensure that hackers can't predict a random number by tracking previous numbers used.

    0 讨论(0)
  • 孤街浪徒
    2020-12-17 23:20

    I'm not an Cocoa Touch developer, but I think HTTP Authentication over SSL would be easy to implement and it's probably exactly what you're looking for.

    All you need to do is setup HTTP Authentication on the server side (you haven't mentioned what you're using on the server side) and create a self-signed SSL cert on your webserver. Done. :)

    Tell us more about your setup and we will be able to help you further.

    0 讨论(0)
 看不清?
提交回复
热议问题