K
/users/13437/ioleg Now the question is clearer. I understand you're setting up an API, and in this case the session cannot be used - the client-session is tied through the docks, it can be simulated through the trigger, but no one does, too many omorots with disabilities. A secret key is usually created that only the service and the client know; after that, a secret key creates a signature for each request that determines that a request is madeIt was indeed sent to the client listed in the requestAll the parameters of the queries are indeed written by the original client (the request may be intercepted on the way, after which the " parameters " may be inserted into the request if this check is not available)The request was actually sent by the client just now, not by some bad MITM, and sent a new request, which was past a month ago.Signature is an ordinary hash on the line, so this reference line of the signature needs to be forced to depend on parameters that clearly indicate the authenticity of the request. Usually, this is organized as follows:Server and client are sharing a secret value. Doing it alone and Not On that communication channel, which will be followed by requests, it is usually provided in a non-automatic mode in the Adminca by the client developer.The client makes a full request, not specific HTTP-requests, namely the set of parameters - URL, the list of arguments, the time of request, the keys required (in this case, one secret), the server ' s ID, nonce or time of request (in this case, the time of the request is added to the usual argument; below - details)The client shows all the data and receives the xash and includes an argument in the request. Hash depends on the secret key, the time of the request/nonce and all the parameters of the request - as a result, the culprit must know the whole set to create a simulating request, and given the time of the request or nonce, it cannot simply accept and repeat the request.The Server receives a request, disaggregates arguments, is exactly the same Hash and is convinced of the correctness/incorrectness of the request. If the request is correct, it is executed and the answer is sent back.Thus, there is no explicit copying (repetited and forgotten) - every request is signed, and the password never passes.What's with the date and nonce: there's an already mentioned type of attack called replay attack. Let's say the client asked the server to change the name of a project on "aaaa," and then again to "bbb." The listening Eve in this case may repeat the request for a change of name on "aaaaa" the number of times that it would appear sufficient to sow the server and client. There are two ways to fight this:The client shall include in the request (and xash) the time of the request. Server's checking the time of the request, and if time's out of the permitted time interval (for example, five minutes), the server is handicapped and refuses to execute the request. It's pointless to replace the time of departure in the request, since the Hash will not be available, and the server with disabilities is already in the Hash verification phase.Server gives nonce clients- number used once♪ In this case, the server shall issue and recall unique single-time values for the signature of the requester (the same xash, e.g.,) to its customers, after which, when the request comes, it checks the existence of such nonce in its repository, and if it is, the request is disabled and, if so, the nonce is removed from the repository, and Eve can neither repeat the request nor use the nonce used. Server may not not just keep nonce, but may also recall an ipi-date connection (although it is not a special job to replace an ipi pack, but the answer will not be the one who replaced it).nonce is most commonly used when the client is the user ' s browser and it is difficult to talk about api in a classical sense; in particular, csrf-token is nonce, usually identifiable from the user ' s ip.
