#a. 发令牌: 静态 PS: 隐患 key被别人获取 #b. 动态令牌 PS: (问题越严重)用户生成的每个令牌被黑客获取到key,都会破解
a. 客户端和服务端都有一个相同的key
客户端把key发给服务端,服务端拿着自己的key和客户端的key做比较
###客户端
import time
import requests
key = "asdfasdfasdfasdf098712sdfs"
response = requests.get("http://127.0.0.1:8000/api/asset.html",headers={‘OpenKey‘:key})
print(response.text)
###服务端
#print(request.META)
key = request.META.get("HTTP_OPENKEY")
if key != settings.AUTH_KEY:
return HttpResponse("验证失败")
b. key和时间
#客户端和服务端都有一个相同的key
#客户端把加密key和当前时间发给服务端,服务端收到后把客户端发来的时间和自己的key加密
#然后把加密后的字串和客户端的字串比较
#客户端
import time
import requests
import hashlib
ctime = time.time()
key = "asdfasdfasdfasdf098712sdfs"
new_key = "%s|%s" %(key,ctime,)
m = hashlib.md5()
m.update(bytes(new_key,encoding=‘utf-8‘)) #里面是字节数据
md5_key = m.hexdigest() #返回值是字符窜类型
md5_time_key = "%s|%s" %(md5_key,ctime)
response = requests.get("http://127.0.0.1:8000/api/asset.html",headers={‘OpenKey‘:md5_time_key})
print(response.text)
#服务端
client_md5_time_key = request.META.get("HTTP_OPENKEY")
client_md5_key,client_ctime = client_md5_time_key.split("|")
temp = "%s|%s"%(settings.AUTH_KEY,client_ctime)
m = hashlib.md5()
m.update(bytes(temp, encoding=‘utf-8‘))
server_md5_key = m.hexdigest()
if server_md5_key != client_md5_key:
return HttpResponse("验证失败")
原文:http://www.cnblogs.com/oyoui/p/7265376.html