CN108809957A - A method of it prevents from forging wechat enterprise number access request - Google Patents
A method of it prevents from forging wechat enterprise number access request Download PDFInfo
- Publication number
- CN108809957A CN108809957A CN201810500409.8A CN201810500409A CN108809957A CN 108809957 A CN108809957 A CN 108809957A CN 201810500409 A CN201810500409 A CN 201810500409A CN 108809957 A CN108809957 A CN 108809957A
- Authority
- CN
- China
- Prior art keywords
- enterprise number
- temporary authorization
- user
- information
- chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/52—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail for supporting social networking services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of methods for preventing from forging wechat enterprise number access request, including first pass chain and second procedure chain;First pass chain includes the following steps:Front end obtains user's id information of enterprise number based on OAUTH single-sign-ons by enterprise number login service end;Temporary Authorization is generated using user's id information to instruct;Temporary Authorization instruction is preserved to front-end local cookies;Second procedure chain includes the following steps:Front end sends out the operation of request data interface by enterprise number to server;Judge with the presence or absence of the temporary Authorization instruction of corresponding request operation in cookies, if it is not, then front end is without operating right, if so, corresponding data-interface returns to business datum to the enterprise number of front end;The design, which is equivalent to, encrypts the id information of user, and attacker can not get the id information of user, accesses request to prevent from forging wechat enterprise number, low to former business interface invasive.
Description
Technical field
The present invention relates to network communication technology field, especially a kind of side for preventing from forging wechat enterprise number access request
Method.
Background technology
Enterprise number is that wechat is the mobile application entrance that corporate client provides, and redirecting based on OAUTH (step on by OAUTH single-points
Record), the information of user, such as the id information of user can be obtained in the menu under the message of enterprise number push or enterprise number application
Etc..Enterprise number internal trigger jumps to the process of the H5 pages of service product, may insure that user believes really by OAUTH mechanism
The reliability of breath, but redirecting inside the H5 pages after redirecting and the H5 pages and relevant interface request, it is difficult to ensure that client
The reliable authenticity of end subscriber.Processing method on open market have it is following two, first, by shielding the H5 pages share behaviour
Make, the information of the H5 pages can be hidden really, but the sharing operation for shielding the H5 pages is the primary operation of wechat client, there is one
Fixed retardance, when user's operation is enough to fast, it is also possible that copy link, second, obscure H5 front-end codes, certain journey
Degree can weaken the readability of front-end code, increase analysis of the attacker to front-end code and data flow, and then increase and read
Cost, but often attacker it is also possible that user information is arrived in simulation, is attacked to reach by digital simulation or packet catcher
The purpose hit.
Invention content
In order to solve the above technical problems, preventing from forging wechat enterprise number access request the object of the present invention is to provide a kind of
Method.
The technical solution adopted by the present invention is:
A method of it prevents from forging wechat enterprise number access request, including first pass chain and second procedure chain;
First pass chain includes the following steps:
Front end obtains user's id information of enterprise number based on OAUTH single-sign-ons by enterprise number login service end;
Temporary Authorization is generated using user's id information to instruct;
Temporary Authorization instruction is preserved to front-end local cookies;
Second procedure chain includes the following steps:
Front end sends out the operation of request data interface by enterprise number to server;
Judge to instruct with the presence or absence of the temporary Authorization of corresponding request operation in cookies,
If it is not, then front end without operating right,
If so, corresponding data-interface returns to business datum to the enterprise number of front end.
In first pass chain, while generating temporary Authorization instruction using user's id information, setting temporary Authorization instructs
Effective time;
It, will also basis if there is the temporary Authorization instruction of corresponding request operation in cookies in second procedure chain
The effective time of temporary Authorization instruction judges whether temporary Authorization instruction is expired,
If it is not, then corresponding data-interface return business datum to front end enterprise number,
If so, return first pass chain, and need enterprise number again login service end to regenerate temporary Authorization
Instruction.
In second procedure chain, front end is redirected by enterprise number login into the H5 pages, and the H5 pages are to server number of request
According to interface.
Beneficial effects of the present invention:
The method of access request of the present invention when user is by enterprise number Sign-On services end, is based in first pass chain
OAUTH single-sign-ons obtain user's id information of enterprise number, and user's id information is generated temporary Authorization instruction, and afterwards
Access request in, be second procedure chain, jump to the H5 pages, front end sends out request data interface by enterprise number to server
Operation, the temporary Authorization instruction in cookies is judged, when the temporary Authorization instruction that there is corresponding request operation
When, corresponding data-interface returns to business datum to the enterprise number of front end, is equivalent to and is added to the id information of user herein
Close, attacker can not get the id information of user, access request to prevent from forging wechat enterprise number, connect to former business
Mouth invasive is low.
Description of the drawings
The specific implementation mode of the present invention is described further below in conjunction with the accompanying drawings.
Fig. 1 is the flow diagram of access request method of the present invention.
Specific implementation mode
As shown in Figure 1, the present invention includes first pass chain and second procedure chain;
First pass chain includes the following steps:
Front end obtains user's id information of enterprise number based on OAUTH single-sign-ons by enterprise number login service end;
Temporary Authorization is generated using user's id information to instruct;
Temporary Authorization instruction is preserved to front-end local cookies;
Second procedure chain includes the following steps:
Front end sends out the operation of request data interface by enterprise number to server;
Judge to instruct with the presence or absence of the temporary Authorization of corresponding request operation in cookies,
If it is not, then front end without operating right, also correspondingly can forward end return error code 202, mark its lack of competence call
Interface.
If so, corresponding data-interface returns to business datum to the enterprise number of front end.
Wherein, OAUTH single sign-ons are to provide safety, open and easy mark for the mandate of user resources
It is accurate.Any third party uses OAUTH authentication services, any service provider that can realize the OAUTH authentication services of itself, because
And OAUTH is open.Industry provides a variety of realizations such as PHP, JavaScript of OAUTH, the various language such as Java, Ruby
The time of programmer is greatly saved in kit, thus OAUTH is easy.Internet much services such as Open API, very much
Major company such as Google, Yahoo, Microsoft etc. both provide OAUTH authentication services, this is in the public platform of wechat offer
Under, user can be based on OAUTH inputs account number, password, carry out single-sign-on, to get user's id information inside wechat,
And temporary Authorization instruction is returned to server-side, server-side will not be directly obtained user's id information.
In second procedure chain, front end is redirected by enterprise number login into the H5 pages, and the H5 pages are to server number of request
According to interface, it can explain by AOP (sections spring method) and arrive each interface method herein, be by the AOP benefits explained
To former interface without invasive.
Further, in first pass chain, while generating temporary Authorization instruction using user's id information, setting is interim
The effective time of authorized order, effective time herein can be formulated by developer;
It, will also basis if there is the temporary Authorization instruction of corresponding request operation in cookies in second procedure chain
The effective time of temporary Authorization instruction judges whether temporary Authorization instruction is expired,
If it is not, then corresponding data-interface return business datum to front end enterprise number,
If so, return first pass chain, and need enterprise number again login service end to regenerate temporary Authorization
Instruction returns to error code 203.
The method of access request of the present invention when user is by enterprise number Sign-On services end, is based in first pass chain
OAUTH single-sign-ons obtain user's id information of enterprise number, and user's id information is generated temporary Authorization instruction, and afterwards
Access request in, be second procedure chain, jump to the H5 pages, front end sends out request data interface by enterprise number to server
Operation, the temporary Authorization instruction in cookies is judged, when the temporary Authorization instruction that there is corresponding request operation
When, corresponding data-interface returns to business datum to the enterprise number of front end, is equivalent to and is added to the id information of user herein
Close, attacker can not get the id information of user, access request to prevent from forging wechat enterprise number, connect to former business
Mouth invasive is low.
The foregoing is merely the preferred embodiments of the present invention, and the present invention is not limited to the above embodiments, as long as with
Essentially identical means realize that the technical solution of the object of the invention belongs within protection scope of the present invention.
Claims (3)
1. a kind of method for preventing from forging wechat enterprise number access request, which is characterized in that including first pass chain and second
Journey chain;
First pass chain includes the following steps:
Front end obtains user's id information of enterprise number based on OAUTH single-sign-ons by enterprise number login service end;
Temporary Authorization is generated using user's id information to instruct;
Temporary Authorization instruction is preserved to front-end local cookies;
Second procedure chain includes the following steps:
Front end sends out the operation of request data interface by enterprise number to server;
Judge to instruct with the presence or absence of the temporary Authorization of corresponding request operation in cookies,
If it is not, then front end without operating right,
If so, corresponding data-interface returns to business datum to the enterprise number of front end.
2. a kind of method for preventing from forging wechat enterprise number access request according to claim 1, it is characterised in that:?
In one flow chain, while generating temporary Authorization instruction using user's id information, the effective time of setting temporary Authorization instruction;
It, will also be according to interim if there is the temporary Authorization instruction of corresponding request operation in cookies in second procedure chain
The effective time of authorized order judges whether temporary Authorization instruction is expired,
If it is not, then corresponding data-interface return business datum to front end enterprise number,
If so, return first pass chain, and need enterprise number again login service end with regenerate temporary Authorization instruction.
3. a kind of method for preventing from forging wechat enterprise number access request according to claim 1, it is characterised in that:?
In two flow chains, front end is redirected by enterprise number login into the H5 pages, and the H5 pages are to server request data interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810500409.8A CN108809957A (en) | 2018-05-23 | 2018-05-23 | A method of it prevents from forging wechat enterprise number access request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810500409.8A CN108809957A (en) | 2018-05-23 | 2018-05-23 | A method of it prevents from forging wechat enterprise number access request |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108809957A true CN108809957A (en) | 2018-11-13 |
Family
ID=64092723
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810500409.8A Pending CN108809957A (en) | 2018-05-23 | 2018-05-23 | A method of it prevents from forging wechat enterprise number access request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108809957A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
| CN103179134A (en) * | 2013-04-19 | 2013-06-26 | 中国建设银行股份有限公司 | Single sign on method and system based on Cookie and application server thereof |
| CN105072108A (en) * | 2015-08-04 | 2015-11-18 | 小米科技有限责任公司 | User information transmission method, device and system |
| CN105812350A (en) * | 2016-02-03 | 2016-07-27 | 北京中搜云商网络技术有限公司 | Cross-platform single-point registration system |
| US20160277390A1 (en) * | 2013-12-27 | 2016-09-22 | Sap Se | Multi-domain applications with authorization and authentication in cloud environment |
| US20170093989A1 (en) * | 2015-09-25 | 2017-03-30 | International Business Machines Corporation | Data sharing |
| CN106713271A (en) * | 2016-11-25 | 2017-05-24 | 国云科技股份有限公司 | Web system log in constraint method based on single sign-on |
| CN107483489A (en) * | 2017-09-18 | 2017-12-15 | 上海上实龙创智慧能源科技股份有限公司 | A kind of wisdom office system authentication method based on wechat enterprise number |
| CN107819570A (en) * | 2016-09-10 | 2018-03-20 | 长沙有干货网络技术有限公司 | A kind of cross-domain single login method based on variable C ookie |
-
2018
- 2018-05-23 CN CN201810500409.8A patent/CN108809957A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
| CN103179134A (en) * | 2013-04-19 | 2013-06-26 | 中国建设银行股份有限公司 | Single sign on method and system based on Cookie and application server thereof |
| US20160277390A1 (en) * | 2013-12-27 | 2016-09-22 | Sap Se | Multi-domain applications with authorization and authentication in cloud environment |
| CN105072108A (en) * | 2015-08-04 | 2015-11-18 | 小米科技有限责任公司 | User information transmission method, device and system |
| US20170093989A1 (en) * | 2015-09-25 | 2017-03-30 | International Business Machines Corporation | Data sharing |
| CN105812350A (en) * | 2016-02-03 | 2016-07-27 | 北京中搜云商网络技术有限公司 | Cross-platform single-point registration system |
| CN107819570A (en) * | 2016-09-10 | 2018-03-20 | 长沙有干货网络技术有限公司 | A kind of cross-domain single login method based on variable C ookie |
| CN106713271A (en) * | 2016-11-25 | 2017-05-24 | 国云科技股份有限公司 | Web system log in constraint method based on single sign-on |
| CN107483489A (en) * | 2017-09-18 | 2017-12-15 | 上海上实龙创智慧能源科技股份有限公司 | A kind of wisdom office system authentication method based on wechat enterprise number |
Non-Patent Citations (1)
| Title |
|---|
| LEAPMIE: "企业微信号开发(二)", 《HTTPS://WWW.CNBLOGS.COM/LEAP/P/5913027.HTML》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106131079B (en) | Authentication method, system and proxy server | |
| Gupta et al. | Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art | |
| De Ryck et al. | Automatic and precise client-side protection against CSRF attacks | |
| CN104519018B (en) | A kind of methods, devices and systems preventing the malicious requests for server | |
| US9104849B2 (en) | Network application security utilizing network-provided identities | |
| KR100884714B1 (en) | Application layer security method and system | |
| CN103856446B (en) | A kind of login method, device and open platform system | |
| US10447726B2 (en) | Mitigating attacks on server computers by enforcing platform policies on client computers | |
| CN110839087B (en) | Interface calling method and device, electronic equipment and computer readable storage medium | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| CN103179134A (en) | Single sign on method and system based on Cookie and application server thereof | |
| Buchanan et al. | Analysis of the adoption of security headers in HTTP | |
| CN107426174A (en) | A kind of access control system and method for credible performing environment | |
| KR20060047252A (en) | Account creation via a mobile device | |
| CN107835228A (en) | A kind of command processing method and device based on DYNAMIC GENERALIZED route | |
| CN103051598B (en) | Method, user equipment and packet access gateway for secure access to Internet services | |
| US20080021904A1 (en) | Authenticating a site while protecting against security holes by handling common web server configurations | |
| JP6249964B2 (en) | Real-time dialogue in communication networks | |
| US20150172270A1 (en) | Computer implemented method and system for an anonymous communication and computer program thereof | |
| Ahmad et al. | Overview of phishing landscape and homographs in Arabic domain names | |
| Keromytis | Voice over IP Security: A Comprehensive Survey of Vulnerabilities and Academic Research | |
| CN108809957A (en) | A method of it prevents from forging wechat enterprise number access request | |
| Thompson et al. | The software vulnerability guide | |
| US20160378982A1 (en) | Local environment protection method and protection system of terminal responding to malicious code in link information | |
| CN112748960A (en) | Process control method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181113 |