使用共享密钥是一个很好的方法。
我倾向于使用HMAC https://en.wikipedia.org/wiki/HMAC当我需要生成和验证令牌(例如:电子邮件验证)并且不想将其存储在数据库中时。加,HMAC 内置于 PHP 中 http://php.net/hash-hmac,所以这里不需要库。
这个想法是,在您的数据之上,您添加一个签名来验证该令牌是由域 A 上的应用程序创建的。您在域 B 上再次以相同的方式生成令牌以验证它。
Example:
生成令牌的共享函数:
function buildVerificationToken($expires, $content)
{
// Same function on both domains
$APP_SECRET_KEY = 'key code secret'; // Maybe move that out of source code
$tokenData = [
'expires' => $expires, // Include it in signatur generation to prevent user from changing it in URL
'content' => $content, // Create different token for different content
'ip' => $_SERVER['REMOTE_ADDR'], // Identify the browser to make it not shareable. Best approach I could think of for this part.
];
$serialized = json_encode($tokenData);
return hash_hmac('sha256', $serialized, $APP_SECRET_KEY);
}
在域 A 上生成令牌:
<?php
$expires = time() + (4 * 3600); // +4h
?>
<a href= "domainB.com/content1.php?expires=<?php echo $expires; ?>&token=<?php echo buildVerificationToken($expires, 'content1'); ?>">Content 1</a>
在域 B 上验证:
$providedExpires = (int) $_GET['expires'];
$providedToken = $_GET['token'];
$verificationToken = buildVerificationToken($providedExpires, 'content1'); // Build token the same way
if (!hash_equals($verificationToken, $providedToken)) { // hash_equals instead of string comparison to prevent timing attacks
// User provided forged token, token for another content, or another IP
die('Bad token'); // However you want to handle this
}
if (time() > $providedExpires) { // Check expiry time. We can trust the user did not modify it as we checked the HMAC hash
die('Token expired'); // However you want to handle this
}
// User is allowed to see content1