问题
I'm writing an iPhone app to be the mobile version of my website.
I intend to expose some REST API so the app can update the user's data.
I do not wish the user to login every time, but I want to save his token/cookie and reuse it for all future requests.
I can setup a random token and pass it along with the user ID, but it's not very secure since it's easy to access it on a jailbroken device. I cannot restrict it using an IP, since the IP will probably change frequently (since it's a mobile device).
What's the best way to implement such an authentication which will be secure enough but won't annoy the user by asking him to authenticate himself often?
回答1:
send the UDID or mac address with the initial login details to your server. create a unique token for this user/UDID (or mac) combination and send it back(encrypted) to the device if username/pass is successful. on subsequent access, the device sends the encrypted token and UDID/mac (over secure connection) for re-authentication.
if you want to put paranoid people at ease about tracking UDID, you could instead use the UDID/mac to salt the encrypted token, but this wont be as secure, but should do the job still.
来源:https://stackoverflow.com/questions/8477430/token-authentication-using-php-for-mobile-devices