For our written interface, if it can be accessed directly without security authentication, it will cause great security risks to our website. Some hacks may directly use your interface to operate the database, and the consequences are incalculable. So how do you do effective security verification?

The access_token mechanism in wechat development is adopted here, so that the front end developer of APP can obtain the token by submitting appID and AppSecert. The server side caches the token for 7200 seconds. If the client requests the token directly each time, the token will be reset each time.

Therefore, it is recommended that the client also cache, the client can determine whether the local token exists, if so, directly use the token as a parameter to access our API, the server to determine the validity of the token and give the corresponding return, if the client cache token is invalid, directly request to obtain the token. The idea is probably so, the following provides a complete reference code, if there is a better way, can also leave a message

<? php namespace Home\Controller; use Think\Controller; class IndexController extends Controller { public$appid = 'dmm888';    
    public $appsecret = 'http://cnblogs.com/dmm888';
    
    public function index() {$this->show('
       

        < h1>< /h1>
        
 Welcome to ThinkPHP! 

        

[You are now accessing the Index controller of the Home module]
       
'.'utf-8');
    }
    public function  test() {if(! isset($_GET['token'])){
            $this->apiReturn(4001,'invalid token');
        }else if(! S($_GET['token'])){            
            $this->apiReturn(4001,'invalid token');
            
        }

 
        $data = array(
            'id'= > 2,'username'= >'In the dark of night'.'info'=>array('age'= > 24,'address'= >Xuefu Road.'url'= >'http://cnblogs.com/dmm888'));if($data) {$this->apiReturn(200,'Reading user information successfully'.$data,xml);
        }


    }

    public function getToken() {$ori_str = S($this->appid.'_'.$this->appsecret); Appid and AppSecret are actually obtained from the client, so we can do a lot of things like check the validity of appID and AppSecret, etcif($ori_str){// Delete the token.$ori_str,null); } // Here is the token generation mechanism you can define yourself$nonce = $this->createNoncestr(32);
        $tmpArr = array($nonce.$this->appid,$this->appsecret);

        sort($tmpArr, SORT_STRING);
        $tmpStr = implode( $tmpArr );
        $tmpStr = sha1( $tmpStr );
        // echo $tmpStr; // This is a cache'a'= > b and'b'=>a format cache S($this->appid.'_'.$this->appsecret,$tmpStr, 7200); S($tmpStr.$this->appid.'_'.$this->appsecret,7200); } /** * produces a random string, no longer than 32 bits */function createNoncestr( $length= {32)$chars = "abcdefghijklmnopqrstuvwxyz0123456789";  
        $str ="";
        for ( $i = 0; $i < $length; $i{+ +)$str.= substr($chars, mt_rand(0, strlen($chars) - 1), 1); }return $str; }}Copy the code

I don’t need to write down how to verify, so we just need to give appID and AppSecret to the front-end developer of the app and tell him how to use it. Token is a unique token. Only token is valid and can be executed downward so that security can be guaranteed.