如何在不不断传递用户名/密码的情况下识别Go服务器上的用户
I am still new to webserver stuff, learning as i go (pardon the pun). But am a bit confused how to maintain identities of users making HTTP requests without asking for the username and password every time.
My client side is actually in C# (its a computer game) and my server will recieve http requests from the application. I could send the user id after login but any one could send user id and pretend to be some one they are not so isn't this a secuity issue?
I don't particularly want to be sending user/pass all the time since that will force me to HTTPS all the time due to sensitive information.
What is the general solution for this? I presume cookies can't be done since its C# application and not a browser like Chrome etc.
我仍然是网络服务器领域的新手,边学边学(对双关语)。 但是对于如何维护发出HTTP请求的用户的身份却又不每次都要求用户名和密码感到困惑。 p>
我的客户端实际上是C#(它是一个计算机游戏),我的客户端 服务器将从应用程序接收HTTP请求。 我可以在登录后发送用户ID,但是任何人都可以发送用户ID并假装自己不是,所以这不是安全问题吗? p>
我不是特别想要 一直发送用户/密码,因为由于敏感信息,这将迫使我一直使用HTTPS。 p>
对此的一般解决方案是什么? 我认为自从它的C#应用程序以来,就无法完成Cookie,而不是像Chrome这样的浏览器。 p> div>
I presume cookies can't be done since its C# application and not a browser like Chrome etc.
Cookies are just a header called Cookie and aren't an issue for any reasonable HTTP library.
I don't particularly want to be sending user/pass all the time since that will force me to HTTPS all the time due to sensitive information.
This is what Facebook, Twitter, and most other websites did 10 years ago. Secure login pages prevent your credentials from being stolen, but the other insecure endpoints you hit reveal whatever other information you use to authenticate. This allows your users to be impersonated by anybody monitoring your insecure connections. See Firesheep.
Since you should be securely storing your user's passwords, I would imagine verifying your user's password for every single request is slow.
If an account is guaranteed to never be used by more than one client at a time, you can just generate a random API token for each user, independent of their username and password. Otherwise, you will have to generate random session tokens when the user logs in and map them to the actual user with some sort of database. This is how most websites handle logins.
Regardless of what you do, there will be no way to prevent someone from impersonating another account if they know their secrets (username+password or session ID). This is why you have to use HTTPS and not just HTTP.
I think the typical approach for this is to use the session id: https://en.wikipedia.org/wiki/Session_ID