WO2021008034A1 - Method and apparatus for network request security verification, and computing device and storage medium - Google Patents

Method and apparatus for network request security verification, and computing device and storage medium Download PDF

Info

Publication number
WO2021008034A1
WO2021008034A1 PCT/CN2019/117695 CN2019117695W WO2021008034A1 WO 2021008034 A1 WO2021008034 A1 WO 2021008034A1 CN 2019117695 W CN2019117695 W CN 2019117695W WO 2021008034 A1 WO2021008034 A1 WO 2021008034A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
token
network request
sender
expiration time
Prior art date
Application number
PCT/CN2019/117695
Other languages
French (fr)
Chinese (zh)
Inventor
颜媛
Original Assignee
平安普惠企业管理有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安普惠企业管理有限公司 filed Critical 平安普惠企业管理有限公司
Publication of WO2021008034A1 publication Critical patent/WO2021008034A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Definitions

  • This application relates to the field of network monitoring technology, and in particular to a method, device, computing device, and computer non-volatile readable storage medium for verifying network request security.
  • Token is in the era of information security
  • Token has a certain timeliness as a token in identity authentication.
  • the server will return a token to the client or App.
  • the request submitted by the client or App will carry this token.
  • Token the server judges whether the user's request is legal based on the token.
  • the inventor of this application realizes that at present, in order to ensure the effectiveness of the token, a certain validity period is set for the token.
  • the token expires, the user must verify the identity when submitting the request again.
  • the user may be using the client or App. It destroys the user experience, but if the validity period of the token is extended to ensure the user experience, the security of the token will be reduced. Therefore, it is impossible to balance the user experience and the security of the token at the same time.
  • the purpose of this application is to provide a network request security verification method, device, computing device and computer non-volatile Sexually readable storage medium.
  • a network request security verification method including:
  • a network request security verification device including:
  • the receiving module is configured to receive the first network request
  • a sending module configured to generate a first token according to the first network request and send the first token to the sending end of the first network request, wherein the first token includes the first token The expiration time of a token
  • the determining module is configured to determine the time for monitoring the triggering operation of the sending end of the first network request
  • the adjustment module is configured to, when a trigger operation of the sending end of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the value of the first token Expiration time after adjustment;
  • the confirmation module is configured to confirm that the second network request is legal when the second network request carrying the first token is received before the adjusted expiration time.
  • a computing device including a memory and a processor, the memory is used to store a program of the processor's network request security verification method, and the processor is configured to execute the network request security
  • the program of the sexual verification method performs the following processing: receiving a first network request; generating a first token according to the first network request and sending the first token to the sender of the first network request, wherein, The first token includes the expiration time of the first token; determining the time for monitoring the triggering operation of the sending end of the first network request; when the triggering of the sending end of the first network request is monitored at the time Operation, adjust the expiration time of the first token according to the trigger operation to obtain the adjusted expiration time of the first token; when the first token is received before the adjusted expiration time
  • the second network request confirms that the second network request is legal.
  • a computer non-volatile readable storage medium storing computer readable instructions
  • a program for a network request security verification method is stored thereon, and the network request security verification method program is processed
  • the device When the device is executed, the following processing is implemented: receiving a first network request; generating a first token according to the first network request and sending the first token to the sending end of the first network request, wherein the first network request A token includes the expiration time of the first token; determining the time to monitor the trigger operation of the sender of the first network request; when the trigger operation of the sender of the first network request is monitored at the time, according to The triggering operation adjusts the expiration time of the first token to obtain the adjusted expiration time of the first token; when the second token carrying the first token is received before the adjusted expiration time
  • the network request confirms that the second network request is legal.
  • the foregoing network request security verification method, device, computing device, and computer non-volatile readable storage medium realize the token expiration time by automatically adjusting the expiration time of the token according to the trigger operation of the user after the token is generated for the network request
  • the dynamic optimization of the expiration time greatly reduces the possibility of destroying the user experience caused by the expiration of the token, and guarantees the user experience while taking into account the security of the token.
  • Fig. 1 is a schematic diagram showing an application scenario of a method for verifying network request security according to an exemplary embodiment
  • Fig. 2 is a flow chart showing a method for verifying the security of a network request according to an exemplary embodiment
  • FIG. 3 is a flowchart showing details of step 220 of an embodiment according to the embodiment corresponding to FIG. 2;
  • FIG. 4 is a flowchart showing details of step 230 of an embodiment according to the embodiment corresponding to FIG. 2;
  • FIG. 5 is a detailed flowchart of step 240 according to an embodiment shown in the embodiment corresponding to FIG. 2;
  • FIG. 6 is a flowchart showing details of step 240 in another embodiment according to the embodiment corresponding to FIG. 2;
  • Fig. 7 is a block diagram showing a device for verifying network request security according to an exemplary embodiment
  • Fig. 8 is an exemplary block diagram showing a computing device for implementing the above-mentioned network request security verification method according to an exemplary embodiment
  • Fig. 9 shows a computer non-volatile readable storage medium for implementing the above-mentioned network request security verification method according to an exemplary embodiment.
  • the network request may be any request established by sending a request message on the network, and may be a request based on various protocols, for example, a more typical request may be a request based on the HTTP protocol.
  • the verification of the security of the network request refers to confirming whether the network request meets certain security standards or requirements. Compared with the unverified network request, the security verified network request is more secure, that is, the security verified The possibility of a network request being an illegal network request is low, so the security verification of the network request is an important part of judging whether the network request is legal.
  • the implementation terminal of this application can be any device with computing, processing and communication functions. It can be a portable mobile device, such as a smart phone, a tablet computer, a notebook computer, etc., or a variety of fixed devices, such as computer equipment, on-site Terminals, desktop computers, servers, workstations, etc.
  • Fig. 1 is a schematic diagram showing an application scenario of a method for verifying network request security according to an exemplary embodiment.
  • FIG. 1 it includes a server 110, a desktop computer 120 and a token 130.
  • the server 110 and the desktop computer 120 are connected through a data link, and data can be transferred between each other through the communication link.
  • the desktop computer 120 sends a request message to the server 110 through a web page or a client
  • the server 110 may return the token 130 to the desktop computer 120 according to the request message.
  • the token 130 has an expiration time.
  • the user Before the expiration time of the token 130, the user can use the desktop computer 120 to perform various interactive activities that require the token 130 with the server 110 through a web page or a client; After the expiration time, the desktop computer 120 and the server 110 cannot perform various interactive activities that require the token 130 until the server 110 issues related tokens to the desktop computer 120 again.
  • the expiration time of the token is fixed.
  • the inventor of this application realizes that the solution of using a fixed token expiration time has at least the following drawbacks: the use of a token expiration time that is too short or unreasonable will cause damage.
  • the continuous interaction behavior of the user is interrupted, which affects the user experience, and the use of a too long token expiration time will reduce the security of the token.
  • Fig. 2 is a flow chart showing a method for verifying the security of a network request according to an exemplary embodiment.
  • Step 210 Receive a first network request.
  • the network request may be various network requests based on the Internet protocol established by sending request messages, for example, it may be a network request based on the HTTP protocol.
  • the first network request is generated using the POST or GET method under the HTTP protocol.
  • the local end is the target receiving end of the first network request, that is, the local end returns a corresponding response to the sending end of the first network request according to the first network request.
  • the target terminal other than the local end is the target receiver of the first network request, and the target terminal is used to return the corresponding terminal to the sender of the first network request according to the first network request.
  • the local end is used to generate a token and verify the security of the network request through the token, and the first network request received by the local end is forwarded to the local end by the target receiving end after receiving the first network request .
  • the method further includes: determining that the first network request is legal.
  • the local end has a registration identity library
  • the first network request is sent directly from the requesting end to the local end.
  • each terminal Before sending a network request to the local end, each terminal must register with the local end and register the request.
  • the identification of the terminal of the network is stored in the registration identification library
  • the first network request includes a request header
  • the request header includes the identifier of the requesting end.
  • the determining that the first network request is legal includes: obtaining the first network The identifier of the requesting end in the request header of the request; if the identifier exists in the registered identifier library, it is determined that the first network request is legal.
  • Step 220 Generate a first token according to the first network request and send the first token to the sender of the first network request.
  • the first token includes the expiration time of the first token.
  • the token is a string used to verify the legitimacy of the network request.
  • the format of the expiration time of the first token is a preset time format, for example, it may be 2019/2/15/18:00.
  • the format of the expiration time of the first token is a timestamp.
  • the first network request includes a uniform resource locator, system parameters, and service parameters
  • the first token is a hash algorithm for uniform resource locator (URL, Uniform Resource Locator) and system parameters. Parameters and business parameters are hashed.
  • the uniform resource locator is the address of the resource requested to be accessed by the first network request
  • the system parameter is a parameter that identifies the identity of the requester, such as the system identifier of the requester or the MAC (Media Access Control Address) address of the requester Or the IP address of the requester (Internet Protocol Address), etc.
  • the service parameter is the identifier of the service used to initiate the request, for example, the name of the interface called by the user to initiate the request or the name of the service portal used, hash
  • the algorithm can be multiple types of algorithms, such as SHA256, MD5, and other algorithms.
  • a hash operation is performed on a string composed of a uniform resource locator, system parameters, and service parameters to obtain a summary of the string; the summary is combined with the expiration time of the first token
  • the string formed by the timestamp serves as the first token.
  • a hash operation is performed on each character string in the uniform resource locator, the system parameter, and the service parameter to obtain the summary of each character string, and the summary of each character string and the representative of the first order
  • the character string formed by the time stamp of the expiration time of the card is used as the first token.
  • the first network request includes the registered account of the requester, and the generating of the first token according to the first network request includes: using a hash algorithm to verify the requester's account in the first network request
  • the registered account is hashed to obtain a digest of the registered account; a string composed of the preset token expiration time and the digest is used as the first token.
  • the first network request includes the registration account of the requesting party.
  • the requesting party Before sending the network request, the requesting party completes the registration of the account by submitting identity information to the local end and generates the registered account for the requesting party, where the generated The registered account and the submitted identity information are correspondingly stored on the local end.
  • the generating of the first token according to the first network request includes: obtaining the registered account of the requesting party included in the first network request; The identity information corresponding to the account; use a hash algorithm to hash the identity information to obtain a digest of the identity information; use a string consisting of a preset token expiration time and the digest as the first token.
  • the first network request includes the registered account of the requesting party
  • the generating of the first token according to the first network request includes: in response to receiving the first network request, generating a random character string, and Store the registered account of the requesting party in the first network request corresponding to the random character string locally; use a hash algorithm to hash the random character string to obtain a summary of the random character string;
  • the time stamp of the expiration time of the first token and the character string formed by the digest serve as the first token.
  • the form of the random string can be various, for example, it can be a string of random length, or a string of fixed length; in addition, the random string can be a string containing only numbers or letters, or both. A string containing letters and numbers.
  • first token generation method is a method for generating the first token according to the first network request. It is understandable that the specific methods for generating the first token according to the first network request are various, and are not limited to those shown in the above embodiments. In actual applications, other first tokens can be selected based on factors such as security. Token generation method.
  • Step 230 Determine the time for monitoring the triggering operation of the sender of the first network request.
  • Determining the time to monitor the trigger operation of the sender of the first network request refers to determining when to monitor the trigger operation of the sender of the first network request.
  • the time mentioned here may be a time point or a time period.
  • the method includes:
  • the manner of monitoring the trigger operation of the sending end of the first network request may be by monitoring click events or button controls, etc., and specifically, different monitoring methods may be adopted according to different actual applications.
  • determining the time for monitoring the triggering operation of the sender of the first network request includes: starting from sending the first token to the sender of the first network request, setting a preset interval The preset first time period before the time point obtained by the second time period is used as the time for monitoring the triggering operation of the sending end of the first network request, wherein the first time period is less than the second time period.
  • the time at which the first token is sent to the sender of the first network request is 2:00, and the preset first time period and second time period are 3 hours and 5 hours, respectively, the obtained first token A time point separated by 5 hours from 2:00 is 7:00, and the time at which the first sender that listens to the first network request triggers the operation is 4:00-7:00; Therefore, the second available time for monitoring the triggering operation of the sender of the first network request is 9:00-12:00.
  • the advantage of this embodiment is that after the local end sends the first token to the sender of the first network request, it monitors the trigger operation of the sender of the first network request in a fixed period of time to ensure In order to monitor the fairness of the trigger operation of the sender of the first network request.
  • determining the time to monitor the triggering operation of the sender of the first network request includes: acquiring the time of sending the first token to the sender of the first network request and the first command The difference between the expiration time of the card; determining the ratio of the difference and a preset time difference reference value, the preset time difference reference value corresponding to the first reference time period and the second reference time period, the The first reference time period is less than the second reference time period; the product of the ratio and the first reference time period is obtained to be the first standard time period, and the product of the ratio and the second reference time period is obtained as The second standard time period; starting from sending the first token to the sender of the first network request, the first standard time period before the time point obtained every second standard time period is used as the monitoring of the The time at which the sender of the first network request triggered the operation.
  • the advantage of this embodiment is that it adapts according to the length of the time period from the time when the first token is sent to the sender of the first network request to the expiration time of the first token
  • the time for monitoring the triggering operation of the sending end of the first network request is determined so that the determined time for monitoring the triggering operation of the sending end of the first network request is more reasonable.
  • determining the time for monitoring the triggering operation of the sender of the first network request includes: sending the first token to the sender of the first network request to the first order The time period between the expiration times of the cards is divided into the first number of time intervals; each time interval obtained by the division is divided into the second number of time sub-intervals; for each time interval, the number of time periods less than or equal to the second number is obtained Random integer; for each time interval, the time sub-intervals in the time interval are sorted into random integers corresponding to the time interval, as the time for the sender to monitor the first network request to trigger the operation.
  • the advantage of this embodiment is that since each time interval includes the time for monitoring the triggering operation of the sender of the first network request, the fairness of the time for determining the triggering operation of the sender of the first network request is guaranteed At the same time, in each time interval, the time sub-interval as the time for monitoring the triggering operation of the sender of the first network request is random, so that the time for determining the triggering operation of the sender of the first network request has a certain Randomness can improve security.
  • Step 240 When the trigger operation of the sender of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the adjusted expiration of the first token time.
  • the expiration time of the first token is adjusted according to the trigger operation to obtain the first order
  • the adjusted expiration time of the card including:
  • the expiration time of the first token is delayed by a preset time period as the adjusted expiration of the first token time.
  • the method when the trigger operation of the sending end of the first network request is monitored at the time, the expiration time of the first token is adjusted according to the trigger operation to obtain the first token After the adjusted expiration time of the first network request, the method further includes: re-determining the time to monitor the trigger operation of the sender of the first network request and monitor the trigger operation of the sender of the first network request at the time until the first The token is invalid.
  • the expiration time of the first token is adjusted according to the trigger operation to obtain the first order
  • the adjusted expiration time of the card including:
  • adjusting the expiration time of the first token according to the frequency of the trigger operation includes: in the case that the frequency is greater than a preset frequency threshold, changing the expiration time of the first token to Postpone the preset first time period later, as the adjusted expiration time of the first token; if the frequency is not greater than the preset frequency threshold, postpone the expiration time of the first token backward
  • the preset second time period is used as the adjusted expiration time of the first token, and the preset second time period is less than the preset first time period.
  • adjusting the expiration time of the first token according to the frequency of the trigger operation includes: obtaining the ratio of the frequency to a preset frequency threshold; determining the sum of the ratio and 1; The product of sum and the expiration time of the first token is used as the adjusted expiration time of the first token.
  • the advantage of this embodiment is that by adaptively adjusting the expiration time of the first token according to the frequency of the trigger operation, the adjusted expiration time of the first token can better meet user requirements.
  • Step 250 When a second network request carrying the first token is received before the adjusted expiration time, confirm that the second network request is legal.
  • the token is a string used to verify the legitimacy of a network request. Therefore, when a second network request carrying the first token is received, if the time of receiving the second network request is within the Before the adjusted expiration time, that is, the first token has not expired, it can be confirmed that the second network request carries a valid first token, that is, the second network request is legal.
  • the method before the second network request carrying the first token is received before the adjusted expiration time, before confirming that the second network request is legal, the method includes:
  • the dynamic optimization of the expiration time of the token is realized, which greatly reduces the possibility of destroying the user experience caused by the expiration of the token, and ensures the user experience while taking account of the order.
  • the security of the card can improve the efficiency of users when using network services that require tokens.
  • FIG. 3 is a flowchart showing the details of step 220 of an embodiment according to the embodiment corresponding to FIG. 2. As shown in Figure 3, it includes the following steps:
  • Step 221 Generate a pending first token according to the first network request.
  • the pending first token does not include expiration time.
  • the first network request includes a uniform resource locator and the identity of the sender of the first network request
  • the generating of the pending first token according to the first network request includes: Perform a hash operation on a string composed of the uniform resource locator included in the first network request and the identity of the sender of the first network request to obtain a digest of the string; and use the digest as the pending The first token.
  • Step 222 Determine the type of the first network request.
  • the first network request has a type identifier for identifying the type of the first network request.
  • Step 223 Determine the expiration time of the first token to be generated according to the type.
  • the first network request has a type identifier, and the type identifier and the expiration time are correspondingly stored in a correspondence table.
  • the type identifier in the first network request is obtained.
  • the expiration time corresponding to the symbol is used as the expiration time of the first token to be generated.
  • Step 224 Add the expiration time to the pending first token to generate a first token, and send the first token to the sender of the first network request.
  • the advantage of the embodiment shown in FIG. 3 is that by determining the expiration time of different first tokens according to different types of the first network request, the first token generated for the network request is more reasonable.
  • FIG. 4 is a flowchart showing details of step 230 of an embodiment according to the embodiment corresponding to FIG. 2. As shown in FIG. 4, step 230 includes the following steps:
  • Step 231 Obtain the time when the first token is sent to the sender of the first network request as the first time.
  • the local end has a built-in timer, which records the sending time of each token, and the sending of the first token to the first network request is obtained by reading the timer. End of time.
  • Step 232 Obtain a time period of x minutes each time from the first time as a time for monitoring the triggering operation of the sender of the first network request.
  • the time period of x minutes each time from the first time is a time period of fixed length.
  • the time period of each interval may be 5 minutes, that is, whether the sending end of the first network request has a trigger operation within 5 minutes before each acquisition.
  • the length of the time period of x minutes each time from the first time is a preset arithmetic sequence.
  • the preset arithmetic sequence is 20, 15, 10, and 5, and if the first time is 18:00, the obtained time for the triggering operation of the sender listening to the first network request can be 18 respectively: 00-18:20, 18:20-18:35, 18:35-18:45 and 18:45-18:50.
  • the time x minutes of each interval from the first time is determined by the following method: obtaining the first parameter value according to the expiration time of the first token; using the first parameter Value, determine the time x minutes of each interval from the first time.
  • the obtaining the first parameter value according to the expiration time of the first token includes:
  • M is the difference between the expiration time and the effective time of the first token
  • n is the time for monitoring the sending of the first network request when using x minutes as the time for the triggering operation of the sending end of the first network request to be monitored
  • Sort the number of terminal trigger operations, y is the first parameter value
  • Said using said first parameter value to determine the time x minutes of each interval starting from said first time includes:
  • the frequency of monitoring the triggering operation of the sender of the first network request is getting higher and higher, that is, the triggering of the sender of the first network request is monitored.
  • the operation time interval is getting shorter and shorter, so the advantage of this embodiment is that by setting a certain time interval at which the monitoring sender triggers the operation, resources such as computing overhead are saved, and at the same time, the monitoring is increased when the first token is about to expire.
  • the density of triggering operations on the sending end makes user operations more unlikely to be interrupted by token expiration, which improves user experience.
  • FIG. 5 is a flowchart showing details of step 240 in an embodiment according to the embodiment corresponding to FIG. 2.
  • the time when the trigger operation of the sending end of the first network request is monitored is the second time, as shown in FIG. 5, including the following steps:
  • Step 241 Obtain the time when the first token is sent to the sender of the first network request as the first time.
  • the sender of the first network request has a log that records the time of each token received by the sender of the first network request
  • the implementation terminal of this application has embedded Script
  • said acquiring the time when the first token is sent to the sender of the first network request includes: crawling the first token from the log of the sender of the first network request through a script The time when sent to the sender of the first network request.
  • Step 242 Determine the difference between the failure time and the first time.
  • the difference is positive.
  • Step 243 Obtain the sum of the difference and the second time as the adjusted expiration time of the first token.
  • the first time is 15:00
  • the time to monitor the trigger operation of the sender of the first network request is 15:20
  • the expiration time of the first token is 15:30
  • the expiration time of the first token is The difference in the first time.
  • the advantage of the embodiment shown in FIG. 5 is that the first token is adjusted by extending the expiration time of the first token according to the length of the valid time of the first token.
  • the expiration time of the obtained first token can ensure that the adjusted expiration time of the first token will not be interrupted due to the expiration of the token to a greater extent, which improves the user experience.
  • FIG. 6 is a flowchart showing details of step 240 in another embodiment according to the embodiment corresponding to FIG. 2. As shown in Figure 6, step 240 includes the following steps:
  • Step 241' when the trigger operation of the sending end of the first network request is monitored at the time, the type of the trigger operation is acquired.
  • each trigger operation corresponds to a service name
  • the service name of the trigger operation is used as the type of the trigger operation
  • the service name corresponding to the trigger operation will be obtained, and the service name may be used as the type of the trigger operation.
  • Step 242' Determine an adjustment mode of the expiration time of the first token according to the type of the trigger operation.
  • the type of the trigger operation is the risk level corresponding to each trigger operation
  • the method for determining the expiration time of the first token according to the type of the trigger operation includes:
  • is the adjusted expiration time
  • is the expiration time
  • M is the difference between the expiration time and the effective time of the first token
  • is the risk level. It can be seen that the higher the risk level ⁇ , the smaller the failure time ⁇ after adjustment, that is, the earlier the failure time after adjustment.
  • the risk level of trigger operations involving financial client, transfer, password modification, and change of bound mobile phone number can be level 3
  • the risk level of trigger operations involving querying transaction records and querying personal information can be level 2, involving browsing new
  • the risk level of news and news viewing is level 1, compared with the trigger operation with a lower risk level, the trigger operation with a higher risk level has less adjustment effect on the first token, that is, the higher the risk level of the trigger operation High, even if the expiration time of the first token has passed a delay, the final delay length is shorter, which can improve security.
  • the advantage of this embodiment is that by using different invalidation time adjustment methods according to the type of the monitored triggering operation, the triggering operation can delay the invalidation time of the first token while reducing high-risk triggering operations.
  • the length of the expiration time that can be extended reduces the risk of the extension of the token expiration time to a certain extent.
  • Step 243' Adjust the expiration time of the first token according to the adjustment method to obtain the adjusted expiration time of the first token.
  • the expiration time of the first token is adjusted by using different expiration time adjustment methods according to the type of trigger operation, so that the obtained first token
  • the adjusted expiration time of the token is more reasonable, which improves the degree of compatibility between the adjusted expiration time of the first token and the user's trigger operation.
  • This application also provides a device for verifying the security of a network request.
  • the following are device embodiments of the application.
  • Fig. 7 is a block diagram showing a device for verifying network request security according to an exemplary embodiment. As shown in FIG. 7, the device 700 includes:
  • the receiving module 710 is configured to receive the first network request.
  • the sending module 720 is configured to generate a first token according to the first network request and send the first token to the sender of the first network request, wherein the first token includes the The expiration time of the first token.
  • the determining module 730 is configured to determine the time for monitoring the triggering operation of the sender of the first network request.
  • the adjustment module 740 is configured to, when a trigger operation of the sending end of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the first token The adjusted expiration time.
  • the confirmation module 750 is configured to confirm that the second network request is legal when the second network request carrying the first token is received before the adjusted expiration time.
  • the sending module is further configured to:
  • the expiration time is added to the pending first token to generate a first token, and the first token is sent to the sender of the first network request.
  • the determining module is further configured to:
  • the time x minutes of each interval from the first time is determined in the following manner:
  • the obtaining the first parameter value according to the expiration time of the first token includes:
  • M is the difference between the expiration time and the effective time of the first token
  • n is the time for monitoring the sending of the first network request when using x minutes as the time for the triggering operation of the sending end of the first network request to be monitored
  • Sort the number of terminal trigger operations, y is the first parameter value
  • Said using said first parameter value to determine the time x minutes of each interval starting from said first time includes:
  • the time when the trigger operation of the sender of the first network request is monitored is the second time
  • the adjustment module is further configured to:
  • the sum of the difference and the second time is obtained as the adjusted expiration time of the first token.
  • the adjustment module is further configured to:
  • the expiration time of the first token is adjusted to obtain the adjusted expiration time of the first token.
  • the computing equipment includes:
  • At least one processor At least one processor
  • a memory communicatively connected with the at least one processor; wherein,
  • the memory stores instructions that can be executed by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can execute as shown in any one of the above exemplary embodiments.
  • the network request security verification method is not limited to:
  • the computing device 800 according to this embodiment of the present application will be described below with reference to FIG. 8.
  • the computing device 800 shown in FIG. 8 is only an example, and should not bring any limitation to the functions and scope of use of the embodiments of the present application.
  • the computing device 800 is represented in the form of a general-purpose computing device.
  • the components of the computing device 800 may include, but are not limited to: the aforementioned at least one processing unit 810, the aforementioned at least one storage unit 820, and a bus 830 connecting different system components (including the storage unit 820 and the processing unit 810).
  • the storage unit stores program code, and the program code can be executed by the processing unit 810, so that the processing unit 810 executes the various exemplary methods described in the "Methods of Embodiments" section of this specification. Implementation steps.
  • the storage unit 820 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 821 and/or a cache storage unit 822, and may further include a read-only storage unit (ROM) 823.
  • RAM random access storage unit
  • ROM read-only storage unit
  • the storage unit 820 may also include a program/utility tool 824 having a set (at least one) program module 825.
  • program module 825 includes but is not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples or some combination may include the implementation of a network environment.
  • the bus 830 may represent one or more of several types of bus structures, including a storage unit bus or a storage unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any bus structure among multiple bus structures. bus.
  • the computing device 800 may also communicate with one or more external devices 1000 (such as keyboards, pointing devices, Bluetooth devices, etc.), and may also communicate with one or more devices that enable users to interact with the computing device 800, and/or communicate with Any device (eg, router, modem, etc.) that enables the computing device 800 to communicate with one or more other computing devices. This communication can be performed through an input/output (I/O) interface 850.
  • the computing device 800 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through the network adapter 860. As shown in the figure, the network adapter 860 communicates with other modules of the computing device 800 through the bus 830.
  • LAN local area network
  • WAN wide area network
  • public network such as the Internet
  • computing device 800 includes hardware and/or software modules, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
  • the exemplary embodiments described herein can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which may be a personal computer, server, terminal device, or network device, etc.) execute the method according to the embodiment of the present application.
  • a non-volatile storage medium can be a CD-ROM, U disk, mobile hard disk, etc.
  • Including several instructions to make a computing device which may be a personal computer, server, terminal device, or network device, etc.
  • a computer non-volatile readable storage medium on which is stored a program product capable of implementing the above method of this specification.
  • each aspect of the present application can also be implemented in the form of a program product, which includes program code.
  • the program product runs on a terminal device, the program code is used to make the The terminal device executes the steps according to various exemplary embodiments of the present application described in the above-mentioned "Exemplary Method" section of this specification.
  • a computer non-volatile readable storage medium 900 for implementing the above method according to an embodiment of the present application is described, which may adopt a portable compact disk read-only memory (CD-ROM) and includes program code , And can run on terminal devices, such as personal computers.
  • CD-ROM portable compact disk read-only memory
  • the program product of this application is not limited to this.
  • the computer non-volatile readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with an instruction execution system, device, or device. In conjunction with.
  • the program product can use any combination of one or more readable media.
  • the readable medium may be a readable signal medium or a readable storage medium.
  • the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Type programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • the computer-readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • the readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with the instruction execution system, apparatus, or device.
  • the program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the foregoing.
  • the program code used to perform the operations of this application can be written in any combination of one or more programming languages.
  • the programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural Programming language-such as "C" language or similar programming language.
  • the program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on.
  • the remote computing device can be connected to a user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or can be connected to an external computing device (for example, using Internet service providers) Business to connect via the Internet).
  • LAN local area network
  • WAN wide area network
  • Internet service providers Internet service providers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present application relates to the field of network monitoring, and disclosed thereby are a method and apparatus for network request security verification, a computing device and a storage medium. The method comprises: receiving a first network request; generating a first token according to the first network request and sending the first token to a sending end of the first network request, the first token containing an expiration time; determining a time during which a trigger operation of the sending end of the first network request is monitored; when the trigger operation of the sending end of the first network request is detected during said time, adjusting the expiration time of the first token according to the trigger operation so as to obtain an adjusted expiration time of the first token; when a second network request carrying the first token is received before the adjusted expiration time, determining that the second network request is legitimate. By adjusting the expiration time of the token according to the trigger operation of a user after the token is generated for the network request, dynamic optimization of the token expiration time is achieved, thereby attending to the security of the token while guaranteeing user experience.

Description

网络请求安全性验证方法、装置、计算设备和存储介质Network request security verification method, device, computing equipment and storage medium
本申请基于并要求2019年7月12日申请的、申请号为CN 201910630624.4、名称为“网络请求安全性验证方法、装置、介质及电子设备”的中国专利申请的优先权,其全部内容在此并入作为参考。This application is based on and claims the priority of the Chinese patent application filed on July 12, 2019, with the application number CN 201910630624.4 and the name "Network request security verification method, device, medium and electronic equipment", the entire content of which is here Incorporated as a reference.
技术领域Technical field
本申请涉及网络监控技术领域,特别涉及一种网络请求安全性验证方法、装置、计算设备和计算机非易失性可读存储介质。This application relates to the field of network monitoring technology, and in particular to a method, device, computing device, and computer non-volatile readable storage medium for verifying network request security.
背景技术Background technique
随着互联网时代的到来,包括网络协议在内的各种技术为网络通信提供了安全有序的环境,使得人们能自由地在网络的海洋里遨游,token(令牌)就是在信息安全时代的一项重要技术。token作为身份认证中的令牌具有一定的时效性。目前大多客户端或App的使用流程为用户登录服务器或者向服务器端提交表单时,服务器会向客户端或App返回一个token,当用户再次登录或者提交表单时客户端或App提交的请求会携带该token,服务器端依据token判断用户的请求是否合法。With the advent of the Internet era, various technologies including network protocols have provided a safe and orderly environment for network communication, allowing people to freely roam in the ocean of the network. Token (token) is in the era of information security An important technology. Token has a certain timeliness as a token in identity authentication. At present, most of the client or App usage process is that when a user logs in to the server or submits a form to the server, the server will return a token to the client or App. When the user logs in again or submits the form, the request submitted by the client or App will carry this token. Token, the server judges whether the user's request is legal based on the token.
本申请发明人意识到,目前,为了保证token的效力,都会为token设置一定的有效期限,当token过期后,用户再次提交请求就要验证身份,此时用户可能正在使用客户端或者App,这样就破坏了用户的体验,但是如果为了保证用户体验一律将token的有效期限延长,则会降低token的安全性。因此无法同时兼顾用户体验和token的安全性。The inventor of this application realizes that at present, in order to ensure the effectiveness of the token, a certain validity period is set for the token. When the token expires, the user must verify the identity when submitting the request again. At this time, the user may be using the client or App. It destroys the user experience, but if the validity period of the token is extended to ensure the user experience, the security of the token will be reduced. Therefore, it is impossible to balance the user experience and the security of the token at the same time.
发明内容Summary of the invention
为了解决相关技术中存在的token过期会破坏用户体验,最终导致用户使用网络服务效率低下的技术问题,本申请的目的在于提供一种网络请求安全性验证方法、装置、计算设备和计算机非易失性可读存储介质。In order to solve the technical problem that the expiration of the token in the related technology will destroy the user experience and ultimately cause the user to use network services inefficiently, the purpose of this application is to provide a network request security verification method, device, computing device and computer non-volatile Sexually readable storage medium.
第一方面,提供了一种网络请求安全性验证方法,包括:In the first aspect, a network request security verification method is provided, including:
接收第一网络请求;Receive the first network request;
根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,其中,所述第一令牌包含所述第一令牌的失效时间;Generate a first token according to the first network request and send the first token to the sender of the first network request, wherein the first token includes the expiration time of the first token ;
确定监听所述第一网络请求的发送端触发操作的时间;Determining the time for monitoring the triggering operation of the sender of the first network request;
当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间;When the trigger operation of the sender of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the adjusted expiration time of the first token;
当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法。When a second network request carrying the first token is received before the adjusted expiration time, it is confirmed that the second network request is legal.
第二方面,提供了一种网络请求安全性验证装置,包括:In a second aspect, a network request security verification device is provided, including:
接收模块,被配置为接收第一网络请求;The receiving module is configured to receive the first network request;
发送模块,被配置为根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,其中,所述第一令牌包含所述第一令牌的失效时间;A sending module, configured to generate a first token according to the first network request and send the first token to the sending end of the first network request, wherein the first token includes the first token The expiration time of a token;
确定模块,被配置为确定监听所述第一网络请求的发送端触发操作的时间;The determining module is configured to determine the time for monitoring the triggering operation of the sending end of the first network request;
调整模块,被配置为当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间;The adjustment module is configured to, when a trigger operation of the sending end of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the value of the first token Expiration time after adjustment;
确认模块,被配置为当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法。The confirmation module is configured to confirm that the second network request is legal when the second network request carrying the first token is received before the adjusted expiration time.
第三方面,提供了一种计算设备,包括存储器和处理器,所述存储器用于存储所述处理器的网络请求安全性验证方法的程序,所述处理器配置为经由执行所述网络请求安全性验证方法的程序来执行以下处理:接收第一网络请求;根据所述第一网络请求生成第一令 牌并将所述第一令牌发送至所述第一网络请求的发送端,其中,所述第一令牌包含所述第一令牌的失效时间;确定监听所述第一网络请求的发送端触发操作的时间;当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间;当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法。In a third aspect, a computing device is provided, including a memory and a processor, the memory is used to store a program of the processor's network request security verification method, and the processor is configured to execute the network request security The program of the sexual verification method performs the following processing: receiving a first network request; generating a first token according to the first network request and sending the first token to the sender of the first network request, wherein, The first token includes the expiration time of the first token; determining the time for monitoring the triggering operation of the sending end of the first network request; when the triggering of the sending end of the first network request is monitored at the time Operation, adjust the expiration time of the first token according to the trigger operation to obtain the adjusted expiration time of the first token; when the first token is received before the adjusted expiration time The second network request confirms that the second network request is legal.
第四方面,提供了一种存储有计算机可读指令的计算机非易失性可读存储介质,其上存储有网络请求安全性验证方法的程序,所述网络请求安全性验证方法的程序被处理器执行时实现以下处理:接收第一网络请求;根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,其中,所述第一令牌包含所述第一令牌的失效时间;确定监听所述第一网络请求的发送端触发操作的时间;当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间;当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法。In a fourth aspect, a computer non-volatile readable storage medium storing computer readable instructions is provided, and a program for a network request security verification method is stored thereon, and the network request security verification method program is processed When the device is executed, the following processing is implemented: receiving a first network request; generating a first token according to the first network request and sending the first token to the sending end of the first network request, wherein the first network request A token includes the expiration time of the first token; determining the time to monitor the trigger operation of the sender of the first network request; when the trigger operation of the sender of the first network request is monitored at the time, according to The triggering operation adjusts the expiration time of the first token to obtain the adjusted expiration time of the first token; when the second token carrying the first token is received before the adjusted expiration time The network request confirms that the second network request is legal.
上述网络请求安全性验证方法、装置、计算设备和计算机非易失性可读存储介质,通过在为网络请求生成令牌后,根据用户的触发操作自动调整令牌的失效时间,实现了令牌的失效时间的动态优化,大大降低了由于令牌过期引起的破坏用户体验的可能性,在保证用户体验的同时兼顾了令牌的安全性。The foregoing network request security verification method, device, computing device, and computer non-volatile readable storage medium realize the token expiration time by automatically adjusting the expiration time of the token according to the trigger operation of the user after the token is generated for the network request The dynamic optimization of the expiration time greatly reduces the possibility of destroying the user experience caused by the expiration of the token, and guarantees the user experience while taking into account the security of the token.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性的,并不能限制本申请。It should be understood that the above general description and the following detailed description are only exemplary and cannot limit the application.
附图说明Description of the drawings
图1是根据一示例性实施例示出的一种网络请求安全性验证方法的应用场景示意图;Fig. 1 is a schematic diagram showing an application scenario of a method for verifying network request security according to an exemplary embodiment;
图2是根据一示例性实施例示出的一种网络请求安全性验证方法的流程图;Fig. 2 is a flow chart showing a method for verifying the security of a network request according to an exemplary embodiment;
图3是根据图2对应实施例示出的一实施例的步骤220的细节的流程图;FIG. 3 is a flowchart showing details of step 220 of an embodiment according to the embodiment corresponding to FIG. 2;
图4是根据图2对应实施例示出的一实施例的步骤230的细节的流程图;FIG. 4 is a flowchart showing details of step 230 of an embodiment according to the embodiment corresponding to FIG. 2;
图5是根据图2对应实施例示出的一实施例的步骤240的细节的流程图;FIG. 5 is a detailed flowchart of step 240 according to an embodiment shown in the embodiment corresponding to FIG. 2;
图6是根据图2对应实施例示出的另一实施例的步骤240的细节的流程图;FIG. 6 is a flowchart showing details of step 240 in another embodiment according to the embodiment corresponding to FIG. 2;
图7是根据一示例性实施例示出的一种网络请求安全性验证装置的框图;Fig. 7 is a block diagram showing a device for verifying network request security according to an exemplary embodiment;
图8是根据一示例性实施例示出的一种用于实现上述网络请求安全性验证方法的计算设备的示例框图;Fig. 8 is an exemplary block diagram showing a computing device for implementing the above-mentioned network request security verification method according to an exemplary embodiment;
图9是根据一示例性实施例示出的一种用于实现上述网络请求安全性验证方法的计算机非易失性可读存储介质。Fig. 9 shows a computer non-volatile readable storage medium for implementing the above-mentioned network request security verification method according to an exemplary embodiment.
具体实施方式Detailed ways
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。Here, exemplary embodiments will be described in detail, and examples thereof are shown in the accompanying drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements. The implementation manners described in the following exemplary embodiments do not represent all implementation manners consistent with the present application. On the contrary, they are only examples of devices and methods consistent with some aspects of the application as detailed in the appended claims.
此外,附图仅为本申请的示意性图解,并非一定是按比例绘制。图中相同的附图标记表示相同或类似的部分,因而将省略对它们的重复描述。附图中所示的一些方框图是功能实体,不一定必须与物理或逻辑上独立的实体相对应。In addition, the drawings are only schematic illustrations of the application, and are not necessarily drawn to scale. The same reference numerals in the figures denote the same or similar parts, and thus their repeated description will be omitted. Some of the block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities.
本申请首先提供了一种网络请求安全性验证方法。网络请求可以是任何通过在网络发送请求消息的方式建立的请求,可以是基于各种协议的请求,比如,较为典型的,可以是基于HTTP协议的请求。网络请求安全性的验证是指确认网络请求是否符合一定的安全标准或者要求,与未经验证的网络请求相比,经过安全性验证的网络请求的安全性更高,即经过了安全性验证的网络请求是非法网络请求的可能性较低,所以网络请求的安全性验证是判断网络请求是否合法的一个重要环节。本申请的实施终端可以是任何具备运算、处理 以及通信功能的设备,可以是便携移动设备,例如智能手机、平板电脑、笔记本电脑等,也可以是各种固定式设备,例如,计算机设备、现场终端、台式电脑、服务器、工作站等。This application first provides a method for verifying network request security. The network request may be any request established by sending a request message on the network, and may be a request based on various protocols, for example, a more typical request may be a request based on the HTTP protocol. The verification of the security of the network request refers to confirming whether the network request meets certain security standards or requirements. Compared with the unverified network request, the security verified network request is more secure, that is, the security verified The possibility of a network request being an illegal network request is low, so the security verification of the network request is an important part of judging whether the network request is legal. The implementation terminal of this application can be any device with computing, processing and communication functions. It can be a portable mobile device, such as a smart phone, a tablet computer, a notebook computer, etc., or a variety of fixed devices, such as computer equipment, on-site Terminals, desktop computers, servers, workstations, etc.
图1是根据一示例性实施例示出的一种网络请求安全性验证方法的应用场景示意图。如图1所示,包括服务器110,台式电脑120以及令牌130。在图1中,服务器110与台式电脑120之间通过数据链路进行连接,彼此之间可以通过该通信链路进行数据的传递。当台式电脑120通过网页或者客户端向服务器110发送请求消息后,服务器110可以根据该请求消息向台式电脑120返回令牌130。令牌130具有失效时间,在令牌130的失效时间之前,用户可以使用台式电脑120通过网页或者客户端等与服务器110之间进行各种需要令牌130的交互活动;而在令牌130的失效时间之后,台式电脑120与服务器110之间就无法进行各种需要令牌130的交互活动,直至服务器110再次向台式电脑120发放了相关的令牌。在传统方式下,令牌的失效时间是固定的,本申请的发明人意识到,采用固定的令牌失效时间这一方案至少有以下缺陷:采用过短或者不够合理的令牌失效时间会打断用户的连续的交互行为,影响用户体验,而采用过长的令牌失效时间会降低令牌的安全性。Fig. 1 is a schematic diagram showing an application scenario of a method for verifying network request security according to an exemplary embodiment. As shown in FIG. 1, it includes a server 110, a desktop computer 120 and a token 130. In FIG. 1, the server 110 and the desktop computer 120 are connected through a data link, and data can be transferred between each other through the communication link. After the desktop computer 120 sends a request message to the server 110 through a web page or a client, the server 110 may return the token 130 to the desktop computer 120 according to the request message. The token 130 has an expiration time. Before the expiration time of the token 130, the user can use the desktop computer 120 to perform various interactive activities that require the token 130 with the server 110 through a web page or a client; After the expiration time, the desktop computer 120 and the server 110 cannot perform various interactive activities that require the token 130 until the server 110 issues related tokens to the desktop computer 120 again. In the traditional way, the expiration time of the token is fixed. The inventor of this application realizes that the solution of using a fixed token expiration time has at least the following drawbacks: the use of a token expiration time that is too short or unreasonable will cause damage. The continuous interaction behavior of the user is interrupted, which affects the user experience, and the use of a too long token expiration time will reduce the security of the token.
图2是根据一示例性实施例示出的一种网络请求安全性验证方法的流程图。Fig. 2 is a flow chart showing a method for verifying the security of a network request according to an exemplary embodiment.
如图2所示,包括以下步骤:As shown in Figure 2, it includes the following steps:
步骤210,接收第一网络请求。Step 210: Receive a first network request.
网络请求可以是各种通过发送请求消息的方式建立的基于互联网协议的网络请求,比如,可以是基于HTTP协议的网络请求。The network request may be various network requests based on the Internet protocol established by sending request messages, for example, it may be a network request based on the HTTP protocol.
在一个实施例中,第一网络请求是利用HTTP协议下的POST或者GET方法产生的。In one embodiment, the first network request is generated using the POST or GET method under the HTTP protocol.
在一个实施例中,本端是所述第一网络请求的目标接收端,即本端根据所述第一网络请求向所述第一网络请求的发送端返回相应的响应。In an embodiment, the local end is the target receiving end of the first network request, that is, the local end returns a corresponding response to the sending end of the first network request according to the first network request.
在一个实施例中,本端之外的目标终端为所述第一网络请求的目标接收端,该目标终端用于根据所述第一网络请求向所述第一网络请求的发送端返回相应的响应,本端用于生成令牌并通过令牌验证网络请求安全性,本端接收到的所述第一网络请求是所述目标接收端在接收到所述第一网络请求后转发至本端的。In one embodiment, the target terminal other than the local end is the target receiver of the first network request, and the target terminal is used to return the corresponding terminal to the sender of the first network request according to the first network request. In response, the local end is used to generate a token and verify the security of the network request through the token, and the first network request received by the local end is forwarded to the local end by the target receiving end after receiving the first network request .
在一个实施例中,在接收第一网络请求之后,所述方法还包括:确定所述第一网络请求合法。In an embodiment, after receiving the first network request, the method further includes: determining that the first network request is legal.
在一个实施例中,本端具有注册标识库,第一网络请求是直接由请求端发送至本端的,每一终端在向本端发送网络请求之前,要向本端进行注册并将该请求注册的终端的标识保存至所述注册标识库中,所述第一网络请求中包含请求头,请求头中包含请求端的标识,所述确定所述第一网络请求合法包括:获取所述第一网络请求的请求头中请求端的标识;在所述标识存在于注册标识库的情况下,确定所述第一网络请求合法。In one embodiment, the local end has a registration identity library, and the first network request is sent directly from the requesting end to the local end. Before sending a network request to the local end, each terminal must register with the local end and register the request. The identification of the terminal of the network is stored in the registration identification library, the first network request includes a request header, and the request header includes the identifier of the requesting end. The determining that the first network request is legal includes: obtaining the first network The identifier of the requesting end in the request header of the request; if the identifier exists in the registered identifier library, it is determined that the first network request is legal.
步骤220,根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端。Step 220: Generate a first token according to the first network request and send the first token to the sender of the first network request.
其中,所述第一令牌包含所述第一令牌的失效时间。Wherein, the first token includes the expiration time of the first token.
令牌是用于验证网络请求合法性的字符串。The token is a string used to verify the legitimacy of the network request.
在一个实施例中,所述第一令牌的失效时间的格式为预设的时间格式,比如可以是2019/2/15/18:00。In one embodiment, the format of the expiration time of the first token is a preset time format, for example, it may be 2019/2/15/18:00.
在一个实施例中,所述第一令牌的失效时间的格式是时间戳。In one embodiment, the format of the expiration time of the first token is a timestamp.
在一个实施例中,所述第一网络请求包含统一资源定位符、系统参数和业务参数,所述第一令牌是通过使用哈希算法对统一资源定位符(URL,Uniform Resource Locator)以及系统参数和业务参数进行哈希运算得到的。其中,统一资源定位符是所述第一网络请求所请求访问的资源的地址,系统参数是标识请求端身份的参数,比如可以是请求端的的系统标识、请求端的MAC(Media Access Control Address)地址或者请求端的IP地址(Internet Protocol Address,网际协议地址)等,业务参数是发起请求所使用的业务 的标识,例如可以是用户发起请求所调用的接口的名称或者使用的业务入口的名称,哈希算法可以是多种类型的算法,比如可以是SHA256、MD5等算法。In one embodiment, the first network request includes a uniform resource locator, system parameters, and service parameters, and the first token is a hash algorithm for uniform resource locator (URL, Uniform Resource Locator) and system parameters. Parameters and business parameters are hashed. Wherein, the uniform resource locator is the address of the resource requested to be accessed by the first network request, and the system parameter is a parameter that identifies the identity of the requester, such as the system identifier of the requester or the MAC (Media Access Control Address) address of the requester Or the IP address of the requester (Internet Protocol Address), etc. The service parameter is the identifier of the service used to initiate the request, for example, the name of the interface called by the user to initiate the request or the name of the service portal used, hash The algorithm can be multiple types of algorithms, such as SHA256, MD5, and other algorithms.
在一个实施例中,对由统一资源定位符、系统参数和业务参数连接组成的字符串进行哈希运算得到该字符串的摘要;将所述摘要和代表所述第一令牌的失效时间的时间戳构成的字符串作为第一令牌。In one embodiment, a hash operation is performed on a string composed of a uniform resource locator, system parameters, and service parameters to obtain a summary of the string; the summary is combined with the expiration time of the first token The string formed by the timestamp serves as the first token.
在一个实施例中,分别对统一资源定位符、系统参数和业务参数中的每一字符串进行哈希运算得到每一字符串的摘要,将每一字符串的摘要和代表所述第一令牌的失效时间的时间戳构成的字符串作为第一令牌。In one embodiment, a hash operation is performed on each character string in the uniform resource locator, the system parameter, and the service parameter to obtain the summary of each character string, and the summary of each character string and the representative of the first order The character string formed by the time stamp of the expiration time of the card is used as the first token.
在一个实施例中,所述第一网络请求包含请求方的注册账号,所述根据所述第一网络请求生成第一令牌包括:利用哈希算法对所述第一网络请求中请求方的注册账号进行哈希运算得到注册账号的摘要;将预设的令牌失效时间和所述摘要组成的字符串作为第一令牌。In an embodiment, the first network request includes the registered account of the requester, and the generating of the first token according to the first network request includes: using a hash algorithm to verify the requester's account in the first network request The registered account is hashed to obtain a digest of the registered account; a string composed of the preset token expiration time and the digest is used as the first token.
在一个实施例中,所述第一网络请求包含请求方的注册账号,请求方在发送网络请求之前,通过向本端提交身份信息完成账号的注册并为请求方生成注册账号,其中,生成的注册账号与提交的身份信息对应存储在本端,所述根据所述第一网络请求生成第一令牌包括:获取所述第一网络请求中包含的请求方的注册账号;获取与所述注册账号对应的身份信息;利用哈希算法对所述身份信息进行哈希运算得到所述身份信息的摘要;将预设的令牌失效时间和所述摘要组成的字符串作为第一令牌。In one embodiment, the first network request includes the registration account of the requesting party. Before sending the network request, the requesting party completes the registration of the account by submitting identity information to the local end and generates the registered account for the requesting party, where the generated The registered account and the submitted identity information are correspondingly stored on the local end. The generating of the first token according to the first network request includes: obtaining the registered account of the requesting party included in the first network request; The identity information corresponding to the account; use a hash algorithm to hash the identity information to obtain a digest of the identity information; use a string consisting of a preset token expiration time and the digest as the first token.
在一个实施例中,所述第一网络请求包含请求方的注册账号,所述根据所述第一网络请求生成第一令牌包括:响应于接收到第一网络请求,生成随机字符串,并将所述第一网络请求中请求方的注册账号与所述随机字符串对应存储在本地;利用哈希算法对所述随机字符串进行哈希运算得到所述随机字符串的摘要;将代表所述第一令牌的失效时间的时间戳和所述摘要构成的字符串作为第一令牌。其中,随机字符串的形式可以是多样的,比如可以是随机长度的字符串,也可以是固定长度的字符串;另外,随机字符串可以是仅包含数字或者字母的字符串,还可以是同时包含字母和数字的字符串。In one embodiment, the first network request includes the registered account of the requesting party, and the generating of the first token according to the first network request includes: in response to receiving the first network request, generating a random character string, and Store the registered account of the requesting party in the first network request corresponding to the random character string locally; use a hash algorithm to hash the random character string to obtain a summary of the random character string; The time stamp of the expiration time of the first token and the character string formed by the digest serve as the first token. Among them, the form of the random string can be various, for example, it can be a string of random length, or a string of fixed length; in addition, the random string can be a string containing only numbers or letters, or both. A string containing letters and numbers.
可以理解的是,根据所述第一网络请求生成第一令牌的具体方式是多种多样的,并不限于上述实施例示出的那些,在实际应用中可以基于安全等因素选择其他的第一令牌生成方式。It is understandable that the specific methods for generating the first token according to the first network request are various, and are not limited to those shown in the above embodiments. In actual applications, other first tokens can be selected based on factors such as security. Token generation method.
步骤230,确定监听所述第一网络请求的发送端触发操作的时间。Step 230: Determine the time for monitoring the triggering operation of the sender of the first network request.
确定监听所述第一网络请求的发送端触发操作的时间是指确定在何时监听所述第一网络请求的发送端的触发操作。Determining the time to monitor the trigger operation of the sender of the first network request refers to determining when to monitor the trigger operation of the sender of the first network request.
需要指出的是,监听所述第一网络请求的发送端触发操作的时间,这里所述的时间可以是一个时间点,也可以是一个时间段。It should be pointed out that, for monitoring the time when the sending end of the first network request triggers the operation, the time mentioned here may be a time point or a time period.
在一个实施例中,在确定监听所述第一网络请求的发送端触发操作的时间之后,所述方法包括:In an embodiment, after determining the time when the sender of the first network request triggers the operation, the method includes:
按照所述时间监听所述第一网络请求的发送端的触发操作。Monitor the trigger operation of the sender of the first network request according to the time.
监听所述第一网络请求的发送端的触发操作的方式可以是通过监听点击事件或者按钮控件等方式进行的,具体可以根据实际应用的不同而采用不同的监听方式。The manner of monitoring the trigger operation of the sending end of the first network request may be by monitoring click events or button controls, etc., and specifically, different monitoring methods may be adopted according to different actual applications.
在一个实施例中,确定监听所述第一网络请求的发送端触发操作的时间,包括:从将所述第一令牌发送至所述第一网络请求的发送端开始,将每隔预设的第二时间段得到的时间点之前的预设的第一时间段作为监听所述第一网络请求的发送端触发操作的时间,其中,所述第一时间段小于第二时间段。In an embodiment, determining the time for monitoring the triggering operation of the sender of the first network request includes: starting from sending the first token to the sender of the first network request, setting a preset interval The preset first time period before the time point obtained by the second time period is used as the time for monitoring the triggering operation of the sending end of the first network request, wherein the first time period is less than the second time period.
比如,将所述第一令牌发送至所述第一网络请求的发送端的时间为2:00,预设的第一时间段和第二时间段分别是3小时和5小时,则得到的第一个与2:00间隔5小时的时间点为7:00,根据该时间点得到的第一个监听所述第一网络请求的发送端触发操作的时间为4:00-7:00;同理,可以获得的第二个监听所述第一网络请求的发送端触发操作的时 间为9:00-12:00。For example, if the time at which the first token is sent to the sender of the first network request is 2:00, and the preset first time period and second time period are 3 hours and 5 hours, respectively, the obtained first token A time point separated by 5 hours from 2:00 is 7:00, and the time at which the first sender that listens to the first network request triggers the operation is 4:00-7:00; Therefore, the second available time for monitoring the triggering operation of the sender of the first network request is 9:00-12:00.
本实施例的好处在于,当本端将所述第一令牌发送至所述第一网络请求的发送端后,通过在固定的时间段监听所述第一网络请求的发送端的触发操作,保证了监听所述第一网络请求的发送端的触发操作的公平性。The advantage of this embodiment is that after the local end sends the first token to the sender of the first network request, it monitors the trigger operation of the sender of the first network request in a fixed period of time to ensure In order to monitor the fairness of the trigger operation of the sender of the first network request.
在一个实施例中,确定监听所述第一网络请求的发送端触发操作的时间,包括:获取将所述第一令牌发送至所述第一网络请求的发送端的时间与所述第一令牌的失效时间的差值;确定所述差与预设的时间差值基准值的比值,所述预设的时间差值基准值与第一基准时间段以及第二基准时间段对应,所述第一基准时间段小于第二基准时间段;获取所述比值与所述第一基准时间段的乘积,为第一标准时间段,获取所述比值与所述第二基准时间段的乘积,为第二标准时间段;从将所述第一令牌发送至所述第一网络请求的发送端开始,将每隔第二标准时间段得到的时间点之前的第一标准时间段作为监听所述第一网络请求的发送端触发操作的时间。本实施例的好处在于,通过根据从将所述第一令牌发送至所述第一网络请求的发送端的时间起至所述第一令牌的失效时间为止这一时间段的长度来适应性地确定监听所述第一网络请求的发送端触发操作的时间,使得确定出的监听所述第一网络请求的发送端触发操作的时间更为合理。In one embodiment, determining the time to monitor the triggering operation of the sender of the first network request includes: acquiring the time of sending the first token to the sender of the first network request and the first command The difference between the expiration time of the card; determining the ratio of the difference and a preset time difference reference value, the preset time difference reference value corresponding to the first reference time period and the second reference time period, the The first reference time period is less than the second reference time period; the product of the ratio and the first reference time period is obtained to be the first standard time period, and the product of the ratio and the second reference time period is obtained as The second standard time period; starting from sending the first token to the sender of the first network request, the first standard time period before the time point obtained every second standard time period is used as the monitoring of the The time at which the sender of the first network request triggered the operation. The advantage of this embodiment is that it adapts according to the length of the time period from the time when the first token is sent to the sender of the first network request to the expiration time of the first token The time for monitoring the triggering operation of the sending end of the first network request is determined so that the determined time for monitoring the triggering operation of the sending end of the first network request is more reasonable.
在一个实施例中,确定监听所述第一网络请求的发送端触发操作的时间,包括:把将所述第一令牌发送至所述第一网络请求的发送端的时间至所述第一令牌的失效时间之间的时间段划分为第一数目个时间区间;将划分得到的每一时间区间划分为第二数目个时间子区间;针对每一时间区间,获取小于或等于第二数目的随机整数;针对每一时间区间,将该时间区间中排序为与该时间区间对应的随机整数的时间子区间,作为监听所述第一网络请求的发送端触发操作的时间。本实施例的好处在于,由于每一时间区间中都包含监听所述第一网络请求的发送端触发操作的时间,保证了确定监听所述第一网络请求的发送端触发操作的时间的公平性,同时,每一时间区间中作为监听所述第一网络请求的发送端触发操作的时间的时间子区间是随机的,使得确定监听所述第一网络请求的发送端触发操作的时间具有一定的随机性,可以提高安全性。In one embodiment, determining the time for monitoring the triggering operation of the sender of the first network request includes: sending the first token to the sender of the first network request to the first order The time period between the expiration times of the cards is divided into the first number of time intervals; each time interval obtained by the division is divided into the second number of time sub-intervals; for each time interval, the number of time periods less than or equal to the second number is obtained Random integer; for each time interval, the time sub-intervals in the time interval are sorted into random integers corresponding to the time interval, as the time for the sender to monitor the first network request to trigger the operation. The advantage of this embodiment is that since each time interval includes the time for monitoring the triggering operation of the sender of the first network request, the fairness of the time for determining the triggering operation of the sender of the first network request is guaranteed At the same time, in each time interval, the time sub-interval as the time for monitoring the triggering operation of the sender of the first network request is random, so that the time for determining the triggering operation of the sender of the first network request has a certain Randomness can improve security.
步骤240,当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间。Step 240: When the trigger operation of the sender of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the adjusted expiration of the first token time.
在一个实施例中,所述当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间,包括:In one embodiment, when the trigger operation of the sender of the first network request is monitored at the time, the expiration time of the first token is adjusted according to the trigger operation to obtain the first order The adjusted expiration time of the card, including:
响应于在所述时间监听到所述第一网络请求的发送端的触发操作,将所述第一令牌的失效时间向后推迟预设的时间段,作为所述第一令牌的调整后失效时间。In response to monitoring the triggering operation of the sender of the first network request at the time, the expiration time of the first token is delayed by a preset time period as the adjusted expiration of the first token time.
在一个实施例中,在当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间之后,所述方法还包括:再次确定监听所述第一网络请求的发送端触发操作的时间并在所述时间监听所述第一网络请求的发送端的触发操作,直至第一令牌失效。In one embodiment, when the trigger operation of the sending end of the first network request is monitored at the time, the expiration time of the first token is adjusted according to the trigger operation to obtain the first token After the adjusted expiration time of the first network request, the method further includes: re-determining the time to monitor the trigger operation of the sender of the first network request and monitor the trigger operation of the sender of the first network request at the time until the first The token is invalid.
在一个实施例中,所述当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间,包括:In one embodiment, when the trigger operation of the sender of the first network request is monitored at the time, the expiration time of the first token is adjusted according to the trigger operation to obtain the first order The adjusted expiration time of the card, including:
获取在所述时间监听到所述第一网络请求的发送端的触发操作的频次;根据所述触发操作的频次调整所述第一令牌的失效时间。Acquire the frequency at which the trigger operation of the sender of the first network request is monitored at the time; adjust the expiration time of the first token according to the frequency of the trigger operation.
在一个实施例中,根据所述触发操作的频次调整所述第一令牌的失效时间,包括:在所述频次大于预设频次阈值的情况下,将所述第一令牌的失效时间向后推迟预设的第一时间段,作为所述第一令牌的调整后失效时间;在所述频次不大于预设频次阈值的情况下,将所述第一令牌的失效时间向后推迟预设的第二时间段,作为所述第一令牌的调整后失效 时间,所述预设的第二时间段小于预设的第一时间段。In one embodiment, adjusting the expiration time of the first token according to the frequency of the trigger operation includes: in the case that the frequency is greater than a preset frequency threshold, changing the expiration time of the first token to Postpone the preset first time period later, as the adjusted expiration time of the first token; if the frequency is not greater than the preset frequency threshold, postpone the expiration time of the first token backward The preset second time period is used as the adjusted expiration time of the first token, and the preset second time period is less than the preset first time period.
在一个实施例中,根据所述触发操作的频次调整所述第一令牌的失效时间,包括:获取所述频次与预设频次阈值的比值;确定所述比值与1之和;将所述和与所述第一令牌的失效时间的乘积作为所述第一令牌的调整后失效时间。In one embodiment, adjusting the expiration time of the first token according to the frequency of the trigger operation includes: obtaining the ratio of the frequency to a preset frequency threshold; determining the sum of the ratio and 1; The product of sum and the expiration time of the first token is used as the adjusted expiration time of the first token.
本实施例的好处在于,通过按照所述触发操作的频次适应性地调整所述第一令牌的失效时间,使得所述第一令牌的调整后失效时间更能满足用户需求。The advantage of this embodiment is that by adaptively adjusting the expiration time of the first token according to the frequency of the trigger operation, the adjusted expiration time of the first token can better meet user requirements.
步骤250,当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法。Step 250: When a second network request carrying the first token is received before the adjusted expiration time, confirm that the second network request is legal.
如前所述,令牌是用于验证网络请求合法性的字符串,因此当接收到携带所述第一令牌的第二网络请求时,如果接收到该第二网络请求的时间在所述调整后失效时间之前,即所述第一令牌没有失效,即可确认所述第二网络请求携带了有效的第一令牌,即所述第二网络请求是合法的。As mentioned earlier, the token is a string used to verify the legitimacy of a network request. Therefore, when a second network request carrying the first token is received, if the time of receiving the second network request is within the Before the adjusted expiration time, that is, the first token has not expired, it can be confirmed that the second network request carries a valid first token, that is, the second network request is legal.
在一个实施例中,在当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法之前,所述方法包括:In one embodiment, before the second network request carrying the first token is received before the adjusted expiration time, before confirming that the second network request is legal, the method includes:
确定所述第二网络请求的令牌是否为所述第一令牌;Determining whether the token requested by the second network is the first token;
如果是,确定接收到所述第二网络请求的时间是否在所述调整后失效时间之前,其中当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法是在确定接收到所述第二网络请求的时间在所述调整后失效时间之前的情况下进行的。If yes, determine whether the time of receiving the second network request is before the adjusted expiration time, wherein when the second network request carrying the first token is received before the adjusted expiration time, confirm The second network request is legal when it is determined that the time when the second network request is received is before the adjusted expiration time.
综上所述,根据图2所示出实施例,实现了令牌的失效时间的动态优化,大大降低了由于令牌过期引起的破坏用户体验的可能性,在保证用户体验的同时兼顾了令牌的安全性,从而可以提高用户在使用需要令牌的网络服务时的效率。In summary, according to the embodiment shown in Figure 2, the dynamic optimization of the expiration time of the token is realized, which greatly reduces the possibility of destroying the user experience caused by the expiration of the token, and ensures the user experience while taking account of the order. The security of the card can improve the efficiency of users when using network services that require tokens.
图3是根据图2对应实施例示出的一实施例的步骤220的细节的流程图。如图3所示,包括以下步骤:FIG. 3 is a flowchart showing the details of step 220 of an embodiment according to the embodiment corresponding to FIG. 2. As shown in Figure 3, it includes the following steps:
步骤221,根据所述第一网络请求生成待定第一令牌。Step 221: Generate a pending first token according to the first network request.
其中,所述待定第一令牌不包含失效时间。Wherein, the pending first token does not include expiration time.
在一个实施例中,所述第一网络请求中包含统一资源定位符和所述第一网络请求的发送端的身份标识,所述根据所述第一网络请求生成待定第一令牌包括:对由所述第一网络请求中包含的统一资源定位符和所述第一网络请求的发送端的身份标识组成的字符串进行哈希运算,得到所述字符串的摘要;将所述摘要作为所述待定第一令牌。In an embodiment, the first network request includes a uniform resource locator and the identity of the sender of the first network request, and the generating of the pending first token according to the first network request includes: Perform a hash operation on a string composed of the uniform resource locator included in the first network request and the identity of the sender of the first network request to obtain a digest of the string; and use the digest as the pending The first token.
步骤222,确定所述第一网络请求的类型。Step 222: Determine the type of the first network request.
在一个实施例中,所述第一网络请求中具有类型标识符,用于标识所述第一网络请求的类型。In an embodiment, the first network request has a type identifier for identifying the type of the first network request.
步骤223,根据所述类型确定要生成的第一令牌的失效时间。Step 223: Determine the expiration time of the first token to be generated according to the type.
在一个实施例中,所述第一网络请求中具有类型标识符,类型标识符与失效时间对应存储在对应关系表中,通过查询该对应关系表,获取与第一网络请求中具有的类型标识符对应的失效时间作为要生成的第一令牌的失效时间。In one embodiment, the first network request has a type identifier, and the type identifier and the expiration time are correspondingly stored in a correspondence table. By querying the correspondence table, the type identifier in the first network request is obtained. The expiration time corresponding to the symbol is used as the expiration time of the first token to be generated.
步骤224,将所述失效时间加入所述待定第一令牌,以生成第一令牌,并将所述第一令牌发送至所述第一网络请求的发送端。Step 224: Add the expiration time to the pending first token to generate a first token, and send the first token to the sender of the first network request.
图3所示出的实施例的好处在于,通过根据第一网络请求的类型的不同确定不同的第一令牌的失效时间,使得为网络请求生成的第一令牌更为合理。The advantage of the embodiment shown in FIG. 3 is that by determining the expiration time of different first tokens according to different types of the first network request, the first token generated for the network request is more reasonable.
图4是根据图2对应实施例示出的一实施例的步骤230的细节的流程图。如图4所示,步骤230包括以下步骤:FIG. 4 is a flowchart showing details of step 230 of an embodiment according to the embodiment corresponding to FIG. 2. As shown in FIG. 4, step 230 includes the following steps:
步骤231,获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间。Step 231: Obtain the time when the first token is sent to the sender of the first network request as the first time.
在一个实施例中,本端内置有计时器,该计时器记录有每一令牌的发送时间,通过读取该计时器得到将所述第一令牌发送至所述第一网络请求的发送端的时间。In one embodiment, the local end has a built-in timer, which records the sending time of each token, and the sending of the first token to the first network request is obtained by reading the timer. End of time.
步骤232,获取从所述第一时间开始每次间隔x分钟的时间段,作为监听所述第一网络请求的发送端触发操作的时间。Step 232: Obtain a time period of x minutes each time from the first time as a time for monitoring the triggering operation of the sender of the first network request.
其中x为正整数。Where x is a positive integer.
在一个实施例中,从所述第一时间开始每次间隔x分钟的时间段是固定长度的时间段。比如,每次间隔的时间段可以为5分钟,即,每次获取前5分钟内所述第一网络请求的发送端是否有触发操作。In one embodiment, the time period of x minutes each time from the first time is a time period of fixed length. For example, the time period of each interval may be 5 minutes, that is, whether the sending end of the first network request has a trigger operation within 5 minutes before each acquisition.
在一个实施例中,从所述第一时间开始每次间隔x分钟的时间段的长度是预设的等差序列。比如预设的等差序列是20、15、10、5,而如果所述第一时间是18:00,则得到的监听所述第一网络请求的发送端触发操作的时间可以分别是18:00-18:20,18:20-18:35,18:35-18:45和18:45-18:50。In an embodiment, the length of the time period of x minutes each time from the first time is a preset arithmetic sequence. For example, the preset arithmetic sequence is 20, 15, 10, and 5, and if the first time is 18:00, the obtained time for the triggering operation of the sender listening to the first network request can be 18 respectively: 00-18:20, 18:20-18:35, 18:35-18:45 and 18:45-18:50.
一个实施例中,从所述第一时间开始每次间隔的时间x分钟,是通过如下方式确定的:根据所述第一令牌的失效时间,获取第一参数值;利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟。In one embodiment, the time x minutes of each interval from the first time is determined by the following method: obtaining the first parameter value according to the expiration time of the first token; using the first parameter Value, determine the time x minutes of each interval from the first time.
在一个实施例中,所述根据所述第一令牌的失效时间,获取第一参数值,包括:In an embodiment, the obtaining the first parameter value according to the expiration time of the first token includes:
通过如下表达式获取第一参数值:Obtain the first parameter value by the following expression:
Figure PCTCN2019117695-appb-000001
Figure PCTCN2019117695-appb-000001
其中,M是所述第一令牌的失效时间与生效时间之差,n是采用x分钟作为监听所述第一网络请求的发送端触发操作的时间时,监听所述第一网络请求的发送端触发操作的次数排序,y为第一参数值;Wherein, M is the difference between the expiration time and the effective time of the first token, and n is the time for monitoring the sending of the first network request when using x minutes as the time for the triggering operation of the sending end of the first network request to be monitored Sort the number of terminal trigger operations, y is the first parameter value;
所述利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟,包括:Said using said first parameter value to determine the time x minutes of each interval starting from said first time includes:
获取大于所述第一参数值y的最小整数,作为从所述第一时间开始每次间隔的时间x分钟的分钟数。Obtain the smallest integer greater than the first parameter value y as the number of minutes of each interval time x minutes from the first time.
从上述的实施例中,可以看出,从第一令牌生效开始,监听所述第一网络请求的发送端触发操作的频率越来越高,即监听所述第一网络请求的发送端触发操作的时间间隔越来越短,所以本实施例的好处在于,通过设置一定的监听的发送端触发操作的时间间隔,节约了计算开销等资源,同时通过在第一令牌将要过期时增加监听的发送端触发操作的密度,使得用户操作在更大程度上不会被令牌过期而打断,提高了用户的体验。From the foregoing embodiment, it can be seen that since the first token becomes effective, the frequency of monitoring the triggering operation of the sender of the first network request is getting higher and higher, that is, the triggering of the sender of the first network request is monitored. The operation time interval is getting shorter and shorter, so the advantage of this embodiment is that by setting a certain time interval at which the monitoring sender triggers the operation, resources such as computing overhead are saved, and at the same time, the monitoring is increased when the first token is about to expire. The density of triggering operations on the sending end makes user operations more unlikely to be interrupted by token expiration, which improves user experience.
图5是根据图2对应实施例示出的一实施例的步骤240的细节的流程图。在图5所示出的实施例中,监听到所述第一网络请求的发送端的触发操作的时间为第二时间,如图5所示,包括以下步骤:FIG. 5 is a flowchart showing details of step 240 in an embodiment according to the embodiment corresponding to FIG. 2. In the embodiment shown in FIG. 5, the time when the trigger operation of the sending end of the first network request is monitored is the second time, as shown in FIG. 5, including the following steps:
步骤241,获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间。Step 241: Obtain the time when the first token is sent to the sender of the first network request as the first time.
在一个实施例中,所述第一网络请求的发送端具有日志,该日志记录有所述第一网络请求的发送端接收到的每一令牌的时间,本申请的实施终端中内嵌有脚本,所述获取将所述第一令牌发送至所述第一网络请求的发送端的时间,包括:通过脚本从所述第一网络请求的发送端的日志中爬取将所述第一令牌发送至所述第一网络请求的发送端的时间。In one embodiment, the sender of the first network request has a log that records the time of each token received by the sender of the first network request, and the implementation terminal of this application has embedded Script, said acquiring the time when the first token is sent to the sender of the first network request includes: crawling the first token from the log of the sender of the first network request through a script The time when sent to the sender of the first network request.
步骤242,确定所述失效时间与所述第一时间之差。Step 242: Determine the difference between the failure time and the first time.
由于所述失效时间大于所述第一时间,所以所述差为正。Since the failure time is greater than the first time, the difference is positive.
步骤243,获取所述差与所述第二时间之和,作为所述第一令牌的调整后失效时间。Step 243: Obtain the sum of the difference and the second time as the adjusted expiration time of the first token.
比如第一时间为15:00,监听到所述第一网络请求的发送端的触发操作的时间为15:20,而第一令牌的失效时间为15:30,第一令牌的失效时间与第一时间的差为30分钟,则当在15:20监听到所述第一网络请求的发送端的触发操作时,将第一令牌的失效时间调整为15:20+30分钟=15:50。For example, the first time is 15:00, the time to monitor the trigger operation of the sender of the first network request is 15:20, and the expiration time of the first token is 15:30, and the expiration time of the first token is The difference in the first time is 30 minutes, then when the trigger operation of the sender of the first network request is monitored at 15:20, the expiration time of the first token is adjusted to 15:20+30 minutes=15:50 .
综上所述,图5所示出的实施例的好处在于,通过将所述第一令牌的失效时间按照所述第一令牌的有效时间的长度顺延的方式调整所述第一令牌的失效时间,使得获得的所述第一令牌的调整后失效时间能够在更大程度上保证不会由于令牌过期而被打断,提高了用户的体验。In summary, the advantage of the embodiment shown in FIG. 5 is that the first token is adjusted by extending the expiration time of the first token according to the length of the valid time of the first token. The expiration time of the obtained first token can ensure that the adjusted expiration time of the first token will not be interrupted due to the expiration of the token to a greater extent, which improves the user experience.
图6是根据图2对应实施例示出的另一实施例的步骤240的细节的流程图。如图6所示,步骤240包括以下步骤:FIG. 6 is a flowchart showing details of step 240 in another embodiment according to the embodiment corresponding to FIG. 2. As shown in Figure 6, step 240 includes the following steps:
步骤241',当在所述时间监听到所述第一网络请求的发送端的触发操作,获取所述触发操作的类型。Step 241', when the trigger operation of the sending end of the first network request is monitored at the time, the type of the trigger operation is acquired.
在一个实施例中,每一触发操作与一个业务名称对应,将触发操作的业务名称作为所述触发操作的类型。In one embodiment, each trigger operation corresponds to a service name, and the service name of the trigger operation is used as the type of the trigger operation.
比如,监听到所述第一网络请求的发送端的每一触发操作都会得到该触发操作对应的业务名称,即可将该业务名称作为所述触发操作的类型。For example, if each trigger operation of the sending end of the first network request is monitored, the service name corresponding to the trigger operation will be obtained, and the service name may be used as the type of the trigger operation.
步骤242',根据所述触发操作的类型,确定所述第一令牌的失效时间的调整方式。Step 242': Determine an adjustment mode of the expiration time of the first token according to the type of the trigger operation.
在一个实施例中,触发操作的类型为每一触发操作对应的风险等级,所述根据所述触发操作的类型,确定所述第一令牌的失效时间的调整方式,包括:In an embodiment, the type of the trigger operation is the risk level corresponding to each trigger operation, and the method for determining the expiration time of the first token according to the type of the trigger operation includes:
将基于所述触发操作对应的风险等级建立的如下公式作为所述第一令牌的失效时间的调整方式:The following formula established based on the risk level corresponding to the trigger operation is used as the adjustment method of the expiration time of the first token:
Figure PCTCN2019117695-appb-000002
Figure PCTCN2019117695-appb-000002
其中,α为调整后失效时间,β为失效时间,M是所述第一令牌的失效时间与生效时间之差,γ是风险等级。可以看出的是,风险等级γ越高,调整后失效时间α越小,即调整后失效时间越早。比如,涉及金融客户端、转账、修改密码、更改绑定手机号等类型触发操作的风险等级可以为3级,涉及查询流水记录、查询个人信息等触发操作的风险等级为2级,涉及浏览新消息和查看新闻的风险等级为1级,则与风险等级较低的触发操作相比,风险等级更高的触发操作对所述第一令牌的调整作用越小,即触发操作的风险等级越高,即使所述第一令牌的失效时间经过了延时,由于其最终的延时长度更短,可以提高安全性。Among them, α is the adjusted expiration time, β is the expiration time, M is the difference between the expiration time and the effective time of the first token, and γ is the risk level. It can be seen that the higher the risk level γ, the smaller the failure time α after adjustment, that is, the earlier the failure time after adjustment. For example, the risk level of trigger operations involving financial client, transfer, password modification, and change of bound mobile phone number can be level 3, and the risk level of trigger operations involving querying transaction records and querying personal information can be level 2, involving browsing new The risk level of news and news viewing is level 1, compared with the trigger operation with a lower risk level, the trigger operation with a higher risk level has less adjustment effect on the first token, that is, the higher the risk level of the trigger operation High, even if the expiration time of the first token has passed a delay, the final delay length is shorter, which can improve security.
本实施例的好处在于,通过根据监听到的触发操作的类型的不同使用不同的失效时间调整方式,使得触发操作能够使第一令牌的失效时间得以延时的同时降低高风险等级的触发操作能够延长的失效时间的长度,在一定程度上降低了令牌失效时间延长带来的风险。The advantage of this embodiment is that by using different invalidation time adjustment methods according to the type of the monitored triggering operation, the triggering operation can delay the invalidation time of the first token while reducing high-risk triggering operations. The length of the expiration time that can be extended reduces the risk of the extension of the token expiration time to a certain extent.
步骤243',按照所述调整方式,调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间。Step 243': Adjust the expiration time of the first token according to the adjustment method to obtain the adjusted expiration time of the first token.
综上所述,在图6所示出的实施例中,通过根据触发操作的类型的不同使用不同的失效时间调整方式来调整所述第一令牌的失效时间,使得获得的所述第一令牌的调整后失效时间更为合理,提高了所述第一令牌的调整后失效时间与用户的触发操作的切合程度。To sum up, in the embodiment shown in FIG. 6, the expiration time of the first token is adjusted by using different expiration time adjustment methods according to the type of trigger operation, so that the obtained first token The adjusted expiration time of the token is more reasonable, which improves the degree of compatibility between the adjusted expiration time of the first token and the user's trigger operation.
本申请还提供了一种网络请求安全性验证装置,以下是本申请的装置实施例。This application also provides a device for verifying the security of a network request. The following are device embodiments of the application.
图7是根据一示例性实施例示出的一种网络请求安全性验证装置的框图。如图7所示,该装置700包括:Fig. 7 is a block diagram showing a device for verifying network request security according to an exemplary embodiment. As shown in FIG. 7, the device 700 includes:
接收模块710,被配置为接收第一网络请求。The receiving module 710 is configured to receive the first network request.
发送模块720,被配置为根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,其中,所述第一令牌包含所述第一令牌的失效时间。The sending module 720 is configured to generate a first token according to the first network request and send the first token to the sender of the first network request, wherein the first token includes the The expiration time of the first token.
确定模块730,被配置为确定监听所述第一网络请求的发送端触发操作的时间。The determining module 730 is configured to determine the time for monitoring the triggering operation of the sender of the first network request.
调整模块740,被配置为当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间.The adjustment module 740 is configured to, when a trigger operation of the sending end of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the first token The adjusted expiration time.
确认模块750,被配置为当在所述调整后失效时间之前接收到携带所述第一令牌的第 二网络请求,确认所述第二网络请求合法。The confirmation module 750 is configured to confirm that the second network request is legal when the second network request carrying the first token is received before the adjusted expiration time.
在一个实施例中,所述发送模块被进一步配置为:In an embodiment, the sending module is further configured to:
根据所述第一网络请求生成待定第一令牌,其中所述待定第一令牌不包含失效时间;Generating a pending first token according to the first network request, wherein the pending first token does not include an expiration time;
确定所述第一网络请求的类型;Determining the type of the first network request;
根据所述类型确定要生成的第一令牌的失效时间;Determine the expiration time of the first token to be generated according to the type;
将所述失效时间加入所述待定第一令牌,以生成第一令牌,并将所述第一令牌发送至所述第一网络请求的发送端。The expiration time is added to the pending first token to generate a first token, and the first token is sent to the sender of the first network request.
在一个实施例中,所述确定模块被进一步配置为:In an embodiment, the determining module is further configured to:
获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间;Acquiring the time when the first token is sent to the sender of the first network request as the first time;
获取从所述第一时间开始每次间隔x分钟的时间段,作为监听所述第一网络请求的发送端触发操作的时间,其中x为正整数。Acquire a time period of x minutes each time from the first time as the time for monitoring the triggering operation of the sending end of the first network request, where x is a positive integer.
在一个实施例中,从所述第一时间开始每次间隔的时间x分钟,是通过如下方式确定的:In an embodiment, the time x minutes of each interval from the first time is determined in the following manner:
根据所述第一令牌的失效时间,获取第一参数值;Obtaining the first parameter value according to the expiration time of the first token;
利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟。Using the first parameter value, determine the time x minutes of each interval from the first time.
在一个实施例中,所述根据所述第一令牌的失效时间,获取第一参数值,包括:In an embodiment, the obtaining the first parameter value according to the expiration time of the first token includes:
通过如下表达式获取第一参数值:Obtain the first parameter value by the following expression:
Figure PCTCN2019117695-appb-000003
Figure PCTCN2019117695-appb-000003
其中,M是所述第一令牌的失效时间与生效时间之差,n是采用x分钟作为监听所述第一网络请求的发送端触发操作的时间时,监听所述第一网络请求的发送端触发操作的次数排序,y为第一参数值;Wherein, M is the difference between the expiration time and the effective time of the first token, and n is the time for monitoring the sending of the first network request when using x minutes as the time for the triggering operation of the sending end of the first network request to be monitored Sort the number of terminal trigger operations, y is the first parameter value;
所述利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟,包括:Said using said first parameter value to determine the time x minutes of each interval starting from said first time includes:
获取大于所述第一参数值y的最小整数,作为从所述第一时间开始每次间隔的时间x分钟的分钟数。Obtain the smallest integer greater than the first parameter value y as the number of minutes of each interval time x minutes from the first time.
在一个实施例中,监听到所述第一网络请求的发送端的触发操作的时间为第二时间,所述调整模块被进一步配置为:In an embodiment, the time when the trigger operation of the sender of the first network request is monitored is the second time, and the adjustment module is further configured to:
获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间;Acquiring the time when the first token is sent to the sender of the first network request as the first time;
确定所述失效时间与所述第一时间之差;Determine the difference between the failure time and the first time;
获取所述差与所述第二时间之和,作为所述第一令牌的调整后失效时间。The sum of the difference and the second time is obtained as the adjusted expiration time of the first token.
在一个实施例中,所述调整模块被进一步配置为:In an embodiment, the adjustment module is further configured to:
当在所述时间监听到所述第一网络请求的发送端的触发操作,获取所述触发操作的类型;When the trigger operation of the sender of the first network request is monitored at the time, acquiring the type of the trigger operation;
根据所述触发操作的类型,确定所述第一令牌的失效时间的调整方式;Determining an adjustment mode of the expiration time of the first token according to the type of the trigger operation;
按照所述调整方式,调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间。According to the adjustment method, the expiration time of the first token is adjusted to obtain the adjusted expiration time of the first token.
根据本申请的第三方面,还提供了一种计算设备,执行上述任一所示的网络请求安全性验证方法的全部或者部分步骤。该计算设备包括:According to the third aspect of the present application, there is also provided a computing device that executes all or part of the steps of any one of the aforementioned network request security verification methods. The computing equipment includes:
至少一个处理器;以及At least one processor; and
与所述至少一个处理器通信连接的存储器;其中,A memory communicatively connected with the at least one processor; wherein,
所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如上述任一个示例性实施例所示出的网络请求安全性验证方法。The memory stores instructions that can be executed by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can execute as shown in any one of the above exemplary embodiments. The network request security verification method.
所属技术领域的技术人员能够理解,本申请的各个方面可以实现为系统、方法或程序产品。因此,本申请的各个方面可以具体实现为以下形式,即:完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等),或硬件和软件方面结合的实施方式,这里可 以统称为“电路”、“模块”或“系统”。Those skilled in the art can understand that various aspects of the present application can be implemented as a system, method, or program product. Therefore, each aspect of the present application can be specifically implemented in the following forms, namely: complete hardware implementation, complete software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, which can be collectively referred to herein as "Circuit", "Module" or "System".
下面参照图8来描述根据本申请的这种实施方式的计算设备800。图8显示的计算设备800仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。The computing device 800 according to this embodiment of the present application will be described below with reference to FIG. 8. The computing device 800 shown in FIG. 8 is only an example, and should not bring any limitation to the functions and scope of use of the embodiments of the present application.
如图8所示,计算设备800以通用计算设备的形式表现。计算设备800的组件可以包括但不限于:上述至少一个处理单元810、上述至少一个存储单元820、连接不同系统组件(包括存储单元820和处理单元810)的总线830。As shown in FIG. 8, the computing device 800 is represented in the form of a general-purpose computing device. The components of the computing device 800 may include, but are not limited to: the aforementioned at least one processing unit 810, the aforementioned at least one storage unit 820, and a bus 830 connecting different system components (including the storage unit 820 and the processing unit 810).
其中,所述存储单元存储有程序代码,所述程序代码可以被所述处理单元810执行,使得所述处理单元810执行本说明书上述“实施例方法”部分中描述的根据本申请各种示例性实施方式的步骤。Wherein, the storage unit stores program code, and the program code can be executed by the processing unit 810, so that the processing unit 810 executes the various exemplary methods described in the "Methods of Embodiments" section of this specification. Implementation steps.
存储单元820可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)821和/或高速缓存存储单元822,还可以进一步包括只读存储单元(ROM)823。The storage unit 820 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 821 and/or a cache storage unit 822, and may further include a read-only storage unit (ROM) 823.
存储单元820还可以包括具有一组(至少一个)程序模块825的程序/实用工具824,这样的程序模块825包括但不限于:操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。The storage unit 820 may also include a program/utility tool 824 having a set (at least one) program module 825. Such program module 825 includes but is not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples or some combination may include the implementation of a network environment.
总线830可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。The bus 830 may represent one or more of several types of bus structures, including a storage unit bus or a storage unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any bus structure among multiple bus structures. bus.
计算设备800也可以与一个或多个外部设备1000(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得用户能与该计算设备800交互的设备通信,和/或与使得该计算设备800能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口850进行。并且,计算设备800还可以通过网络适配器860与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。如图所示,网络适配器860通过总线830与计算设备800的其它模块通信。应当明白,尽管图中未示出,可以结合计算设备800使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。The computing device 800 may also communicate with one or more external devices 1000 (such as keyboards, pointing devices, Bluetooth devices, etc.), and may also communicate with one or more devices that enable users to interact with the computing device 800, and/or communicate with Any device (eg, router, modem, etc.) that enables the computing device 800 to communicate with one or more other computing devices. This communication can be performed through an input/output (I/O) interface 850. In addition, the computing device 800 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through the network adapter 860. As shown in the figure, the network adapter 860 communicates with other modules of the computing device 800 through the bus 830. It should be understood that although not shown in the figure, other hardware and/or software modules can be used in conjunction with the computing device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本申请实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、终端装置、或者网络设备等)执行根据本申请实施方式的方法。Through the description of the foregoing embodiments, those skilled in the art can easily understand that the exemplary embodiments described herein can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which may be a personal computer, server, terminal device, or network device, etc.) execute the method according to the embodiment of the present application.
根据本申请的第四方面,还提供了一种计算机非易失性可读存储介质,其上存储有能够实现本说明书上述方法的程序产品。在一些可能的实施方式中,本申请的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当所述程序产品在终端设备上运行时,所述程序代码用于使所述终端设备执行本说明书上述“示例性方法”部分中描述的根据本申请各种示例性实施方式的步骤。According to the fourth aspect of the present application, there is also provided a computer non-volatile readable storage medium, on which is stored a program product capable of implementing the above method of this specification. In some possible implementation manners, each aspect of the present application can also be implemented in the form of a program product, which includes program code. When the program product runs on a terminal device, the program code is used to make the The terminal device executes the steps according to various exemplary embodiments of the present application described in the above-mentioned "Exemplary Method" section of this specification.
参考图9所示,描述了根据本申请的实施方式的用于实现上述方法的计算机非易失性可读存储介质900,其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码,并可以在终端设备,例如个人电脑上运行。然而,本申请的程序产品不限于此,在本文件中,计算机非易失性可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。With reference to FIG. 9, a computer non-volatile readable storage medium 900 for implementing the above method according to an embodiment of the present application is described, which may adopt a portable compact disk read-only memory (CD-ROM) and includes program code , And can run on terminal devices, such as personal computers. However, the program product of this application is not limited to this. In this document, the computer non-volatile readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with an instruction execution system, device, or device. In conjunction with.
所述程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以为但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷 举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。The program product can use any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Type programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。The computer-readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. The readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with the instruction execution system, apparatus, or device.
可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。The program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the foregoing.
可以以一种或多种程序设计语言的任意组合来编写用于执行本申请操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到用户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。The program code used to perform the operations of this application can be written in any combination of one or more programming languages. The programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural Programming language-such as "C" language or similar programming language. The program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on. In the case of a remote computing device, the remote computing device can be connected to a user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or can be connected to an external computing device (for example, using Internet service providers) Business to connect via the Internet).
此外,上述附图仅是根据本申请示例性实施例的方法所包括的处理的示意性说明,而不是限制目的。易于理解,上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,也易于理解,这些处理可以是例如在多个模块中同步或异步执行的。In addition, the above-mentioned drawings are only schematic illustrations of the processing included in the method according to the exemplary embodiments of the present application, and are not intended for limitation. It is easy to understand that the processing shown in the above drawings does not indicate or limit the time sequence of these processings. In addition, it is easy to understand that these processes can be executed synchronously or asynchronously in multiple modules, for example.
应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围执行各种修改和改变。本申请的范围仅由所附的权利要求来限制。It should be understood that the present application is not limited to the precise structure that has been described above and shown in the drawings, and various modifications and changes can be performed without departing from its scope. The scope of the application is only limited by the appended claims.

Claims (22)

  1. 一种网络请求安全性验证方法,包括:A method for verifying network request security, including:
    接收第一网络请求;Receive the first network request;
    根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,其中,所述第一令牌包含所述第一令牌的失效时间;Generate a first token according to the first network request and send the first token to the sender of the first network request, wherein the first token includes the expiration time of the first token ;
    确定监听所述第一网络请求的发送端触发操作的时间;Determining the time for monitoring the triggering operation of the sender of the first network request;
    当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间;When the trigger operation of the sender of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the adjusted expiration time of the first token;
    当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法。When a second network request carrying the first token is received before the adjusted expiration time, it is confirmed that the second network request is legal.
  2. 根据权利要求1所述的方法,其中,所述根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,包括:The method according to claim 1, wherein the generating a first token according to the first network request and sending the first token to the sender of the first network request comprises:
    根据所述第一网络请求生成待定第一令牌,其中所述待定第一令牌不包含失效时间;Generating a pending first token according to the first network request, wherein the pending first token does not include an expiration time;
    确定所述第一网络请求的类型;Determining the type of the first network request;
    根据所述类型确定要生成的第一令牌的失效时间;Determine the expiration time of the first token to be generated according to the type;
    将所述失效时间加入所述待定第一令牌,以生成第一令牌,并将所述第一令牌发送至所述第一网络请求的发送端。The expiration time is added to the pending first token to generate a first token, and the first token is sent to the sender of the first network request.
  3. 根据权利要求1所述的方法,其中,所述确定监听所述第一网络请求的发送端触发操作的时间,包括:The method according to claim 1, wherein the determining the time for monitoring the triggering operation of the sender of the first network request comprises:
    获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间;Acquiring the time when the first token is sent to the sender of the first network request as the first time;
    获取从所述第一时间开始每次间隔x分钟的时间段,作为监听所述第一网络请求的发送端触发操作的时间,其中x为正整数。Acquire a time period of x minutes each time from the first time as the time for monitoring the triggering operation of the sending end of the first network request, where x is a positive integer.
  4. 根据权利要求3所述的方法,其中,从所述第一时间开始每次间隔的时间x分钟,是通过如下方式确定的:The method according to claim 3, wherein the time x minutes of each interval from the first time is determined in the following manner:
    根据所述第一令牌的失效时间,获取第一参数值;Obtaining the first parameter value according to the expiration time of the first token;
    利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟。Using the first parameter value, determine the time x minutes of each interval from the first time.
  5. 根据权利要求4所述的方法,其中,所述根据所述第一令牌的失效时间,获取第一参数值,包括:The method according to claim 4, wherein the obtaining the first parameter value according to the expiration time of the first token comprises:
    通过如下表达式获取第一参数值:Obtain the first parameter value by the following expression:
    Figure PCTCN2019117695-appb-100001
    Figure PCTCN2019117695-appb-100001
    其中,M是所述第一令牌的失效时间与生效时间之差,n是采用x分钟作为监听所述第一网络请求的发送端触发操作的时间时,监听所述第一网络请求的发送端触发操作的次数排序,y为第一参数值;Wherein, M is the difference between the expiration time and the effective time of the first token, and n is the time for monitoring the sending of the first network request when using x minutes as the time for the triggering operation of the sending end of the first network request to be monitored Sort the number of terminal trigger operations, y is the first parameter value;
    所述利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟,包括:Said using said first parameter value to determine the time x minutes of each interval starting from said first time includes:
    获取大于所述第一参数值y的最小整数,作为从所述第一时间开始每次间隔的时间x分钟的分钟数。Obtain the smallest integer greater than the first parameter value y as the number of minutes of each interval time x minutes from the first time.
  6. 根据权利要求1所述的方法,其中,监听到所述第一网络请求的发送端的触发操作的时间为第二时间,所述当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间,包括:The method according to claim 1, wherein the time when the trigger operation of the sender of the first network request is monitored is the second time, and the trigger of the sender of the first network request is monitored at the time The operation of adjusting the expiration time of the first token according to the triggering operation to obtain the adjusted expiration time of the first token includes:
    获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间;Acquiring the time when the first token is sent to the sender of the first network request as the first time;
    确定所述失效时间与所述第一时间之差;Determine the difference between the failure time and the first time;
    获取所述差与所述第二时间之和,作为所述第一令牌的调整后失效时间。The sum of the difference and the second time is obtained as the adjusted expiration time of the first token.
  7. 根据权利要求1所述的方法,其中,所述当在所述时间监听到所述第一网络请求的发 送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间,包括:The method according to claim 1, wherein when the trigger operation of the sender of the first network request is monitored at the time, the expiration time of the first token is adjusted according to the trigger operation to obtain The adjusted expiration time of the first token includes:
    当在所述时间监听到所述第一网络请求的发送端的触发操作,获取所述触发操作的类型;When the trigger operation of the sender of the first network request is monitored at the time, acquiring the type of the trigger operation;
    根据所述触发操作的类型,确定所述第一令牌的失效时间的调整方式;Determining an adjustment mode of the expiration time of the first token according to the type of the trigger operation;
    按照所述调整方式,调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间。According to the adjustment method, the expiration time of the first token is adjusted to obtain the adjusted expiration time of the first token.
  8. 一种网络请求安全性验证装置,包括:A network request security verification device, including:
    接收模块,被配置为接收第一网络请求;The receiving module is configured to receive the first network request;
    发送模块,被配置为根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,其中,所述第一令牌包含所述第一令牌的失效时间;A sending module, configured to generate a first token according to the first network request and send the first token to the sending end of the first network request, wherein the first token includes the first token The expiration time of a token;
    确定模块,被配置为确定监听所述第一网络请求的发送端触发操作的时间;The determining module is configured to determine the time for monitoring the triggering operation of the sending end of the first network request;
    调整模块,被配置为当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间;The adjustment module is configured to, when a trigger operation of the sending end of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the value of the first token Expiration time after adjustment;
    确认模块,被配置为当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法。The confirmation module is configured to confirm that the second network request is legal when the second network request carrying the first token is received before the adjusted expiration time.
  9. 根据权利要求8所述的装置,其中,所述发送模块被进一步配置为:The device according to claim 8, wherein the sending module is further configured to:
    根据所述第一网络请求生成待定第一令牌,其中所述待定第一令牌不包含失效时间;Generating a pending first token according to the first network request, wherein the pending first token does not include an expiration time;
    确定所述第一网络请求的类型;Determining the type of the first network request;
    根据所述类型确定要生成的第一令牌的失效时间;Determine the expiration time of the first token to be generated according to the type;
    将所述失效时间加入所述待定第一令牌,以生成第一令牌,并将所述第一令牌发送至所述第一网络请求的发送端。The expiration time is added to the pending first token to generate a first token, and the first token is sent to the sender of the first network request.
  10. 根据权利要求8所述的装置,其中,所述确定模块被进一步配置为:The apparatus according to claim 8, wherein the determining module is further configured to:
    获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间;Acquiring the time when the first token is sent to the sender of the first network request as the first time;
    获取从所述第一时间开始每次间隔x分钟的时间段,作为监听所述第一网络请求的发送端触发操作的时间,其中x为正整数。Acquire a time period of x minutes each time from the first time as the time for monitoring the triggering operation of the sending end of the first network request, where x is a positive integer.
  11. 根据权利要求10所述的装置,其中,从所述第一时间开始每次间隔的时间x分钟,是通过如下方式确定的:The apparatus according to claim 10, wherein the time x minutes of each interval from the first time is determined in the following manner:
    根据所述第一令牌的失效时间,获取第一参数值;Obtaining the first parameter value according to the expiration time of the first token;
    利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟。Using the first parameter value, determine the time x minutes of each interval from the first time.
  12. 根据权利要求11所述的装置,其中,所述根据所述第一令牌的失效时间,获取第一参数值,包括:The apparatus according to claim 11, wherein the obtaining the first parameter value according to the expiration time of the first token comprises:
    通过如下表达式获取第一参数值:Obtain the first parameter value by the following expression:
    Figure PCTCN2019117695-appb-100002
    Figure PCTCN2019117695-appb-100002
    其中,M是所述第一令牌的失效时间与生效时间之差,n是采用x分钟作为监听所述第一网络请求的发送端触发操作的时间时,监听所述第一网络请求的发送端触发操作的次数排序,y为第一参数值;Wherein, M is the difference between the expiration time and the effective time of the first token, and n is the time for monitoring the sending of the first network request when using x minutes as the time for the triggering operation of the sending end of the first network request to be monitored Sort the number of terminal trigger operations, y is the first parameter value;
    所述利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟,包括:Said using said first parameter value to determine the time x minutes of each interval starting from said first time includes:
    获取大于所述第一参数值y的最小整数,作为从所述第一时间开始每次间隔的时间x分钟的分钟数。Obtain the smallest integer greater than the first parameter value y as the number of minutes of each interval time x minutes from the first time.
  13. 根据权利要求8所述的装置,其中,监听到所述第一网络请求的发送端的触发操作的时间为第二时间,所述调整模块被进一步配置为:8. The device according to claim 8, wherein the time when the trigger operation of the sending end of the first network request is monitored is the second time, and the adjustment module is further configured to:
    获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间;Acquiring the time when the first token is sent to the sender of the first network request as the first time;
    确定所述失效时间与所述第一时间之差;Determine the difference between the failure time and the first time;
    获取所述差与所述第二时间之和,作为所述第一令牌的调整后失效时间。The sum of the difference and the second time is obtained as the adjusted expiration time of the first token.
  14. 根据权利要求8所述的装置,其中,所述调整模块被进一步配置为:The device according to claim 8, wherein the adjustment module is further configured to:
    当在所述时间监听到所述第一网络请求的发送端的触发操作,获取所述触发操作的类型;When the trigger operation of the sender of the first network request is monitored at the time, acquiring the type of the trigger operation;
    根据所述触发操作的类型,确定所述第一令牌的失效时间的调整方式;Determining an adjustment mode of the expiration time of the first token according to the type of the trigger operation;
    按照所述调整方式,调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间。According to the adjustment method, the expiration time of the first token is adjusted to obtain the adjusted expiration time of the first token.
  15. 一种计算设备,包括存储器和处理器,所述存储器中存储有计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述处理器执行:A computing device includes a memory and a processor, the memory stores computer readable instructions, and when the computer readable instructions are executed by the processor, the processor executes:
    接收第一网络请求;Receive the first network request;
    根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,其中,所述第一令牌包含所述第一令牌的失效时间;Generate a first token according to the first network request and send the first token to the sender of the first network request, wherein the first token includes the expiration time of the first token ;
    确定监听所述第一网络请求的发送端触发操作的时间;Determining the time for monitoring the triggering operation of the sender of the first network request;
    当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间;When the trigger operation of the sender of the first network request is monitored at the time, adjust the expiration time of the first token according to the trigger operation to obtain the adjusted expiration time of the first token;
    当在所述调整后失效时间之前接收到携带所述第一令牌的第二网络请求,确认所述第二网络请求合法。When a second network request carrying the first token is received before the adjusted expiration time, it is confirmed that the second network request is legal.
  16. 根据权利要求15所述的计算设备,其中,所述根据所述第一网络请求生成第一令牌并将所述第一令牌发送至所述第一网络请求的发送端,包括:The computing device according to claim 15, wherein the generating the first token according to the first network request and sending the first token to the sender of the first network request comprises:
    根据所述第一网络请求生成待定第一令牌,其中所述待定第一令牌不包含失效时间;Generating a pending first token according to the first network request, wherein the pending first token does not include an expiration time;
    确定所述第一网络请求的类型;Determining the type of the first network request;
    根据所述类型确定要生成的第一令牌的失效时间;Determine the expiration time of the first token to be generated according to the type;
    将所述失效时间加入所述待定第一令牌,以生成第一令牌,并将所述第一令牌发送至所述第一网络请求的发送端。The expiration time is added to the pending first token to generate a first token, and the first token is sent to the sender of the first network request.
  17. 根据权利要求15所述的计算设备,其中,所述确定监听所述第一网络请求的发送端触发操作的时间,包括:The computing device according to claim 15, wherein the determining the time for monitoring the triggering operation of the sender of the first network request comprises:
    获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间;Acquiring the time when the first token is sent to the sender of the first network request as the first time;
    获取从所述第一时间开始每次间隔x分钟的时间段,作为监听所述第一网络请求的发送端触发操作的时间,其中x为正整数。Acquire a time period of x minutes each time from the first time as the time for monitoring the triggering operation of the sending end of the first network request, where x is a positive integer.
  18. 根据权利要求17所述的计算设备,其中,从所述第一时间开始每次间隔的时间x分钟,是通过如下方式确定的:The computing device according to claim 17, wherein the time x minutes of each interval from the first time is determined in the following manner:
    根据所述第一令牌的失效时间,获取第一参数值;Obtaining the first parameter value according to the expiration time of the first token;
    利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟。Using the first parameter value, determine the time x minutes of each interval from the first time.
  19. 根据权利要求18所述的计算设备,其中,所述根据所述第一令牌的失效时间,获取第一参数值,包括:The computing device according to claim 18, wherein the obtaining the first parameter value according to the expiration time of the first token comprises:
    通过如下表达式获取第一参数值:Obtain the first parameter value by the following expression:
    Figure PCTCN2019117695-appb-100003
    Figure PCTCN2019117695-appb-100003
    其中,M是所述第一令牌的失效时间与生效时间之差,n是采用x分钟作为监听所述第一网络请求的发送端触发操作的时间时,监听所述第一网络请求的发送端触发操作的次数排序,y为第一参数值;Wherein, M is the difference between the expiration time and the effective time of the first token, and n is the time for monitoring the sending of the first network request when using x minutes as the time for the triggering operation of the sending end of the first network request to be monitored Sort the number of terminal trigger operations, y is the first parameter value;
    所述利用所述第一参数值,确定从所述第一时间开始每次间隔的时间x分钟,包括:Said using said first parameter value to determine the time x minutes of each interval starting from said first time includes:
    获取大于所述第一参数值y的最小整数,作为从所述第一时间开始每次间隔的时间x分钟的分钟数。Obtain the smallest integer greater than the first parameter value y as the number of minutes of each interval time x minutes from the first time.
  20. 根据权利要求15所述的计算设备,其中,监听到所述第一网络请求的发送端的触发操作的时间为第二时间,所述当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间, 包括:The computing device according to claim 15, wherein the time when the trigger operation of the sender of the first network request is monitored is the second time, and the time when the trigger operation of the sender of the first network request is monitored at the time The triggering operation, adjusting the expiration time of the first token according to the triggering operation to obtain the adjusted expiration time of the first token, includes:
    获取将所述第一令牌发送至所述第一网络请求的发送端的时间,作为第一时间;Acquiring the time when the first token is sent to the sender of the first network request as the first time;
    确定所述失效时间与所述第一时间之差;Determine the difference between the failure time and the first time;
    获取所述差与所述第二时间之和,作为所述第一令牌的调整后失效时间。The sum of the difference and the second time is obtained as the adjusted expiration time of the first token.
  21. 根据权利要求15所述的计算设备,其中,所述当在所述时间监听到所述第一网络请求的发送端的触发操作,根据所述触发操作调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间,包括:The computing device according to claim 15, wherein when the trigger operation of the sender of the first network request is monitored at the time, the expiration time of the first token is adjusted according to the trigger operation to Obtaining the adjusted expiration time of the first token includes:
    当在所述时间监听到所述第一网络请求的发送端的触发操作,获取所述触发操作的类型;When the trigger operation of the sender of the first network request is monitored at the time, acquiring the type of the trigger operation;
    根据所述触发操作的类型,确定所述第一令牌的失效时间的调整方式;Determining an adjustment mode of the expiration time of the first token according to the type of the trigger operation;
    按照所述调整方式,调整所述第一令牌的失效时间,以得到所述第一令牌的调整后失效时间。According to the adjustment method, the expiration time of the first token is adjusted to obtain the adjusted expiration time of the first token.
  22. 一种存储有计算机可读指令的计算机非易失性可读存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行权利要求1至7任一项所述的方法。A computer non-volatile readable storage medium storing computer readable instructions, which when executed by one or more processors, cause one or more processors to execute any one of claims 1 to 7 The method described in the item.
PCT/CN2019/117695 2019-07-12 2019-11-12 Method and apparatus for network request security verification, and computing device and storage medium WO2021008034A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910630624.4 2019-07-12
CN201910630624.4A CN110445615B (en) 2019-07-12 2019-07-12 Network request security verification method, device, medium and electronic equipment

Publications (1)

Publication Number Publication Date
WO2021008034A1 true WO2021008034A1 (en) 2021-01-21

Family

ID=68429656

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/117695 WO2021008034A1 (en) 2019-07-12 2019-11-12 Method and apparatus for network request security verification, and computing device and storage medium

Country Status (2)

Country Link
CN (1) CN110445615B (en)
WO (1) WO2021008034A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113179191A (en) * 2021-04-01 2021-07-27 众安信息技术服务有限公司 Network performance monitoring method and device and electronic equipment

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112003852B (en) * 2020-08-19 2022-11-25 中国建设银行股份有限公司 Resource access control method, device, equipment and storage medium
CN112671720B (en) * 2020-12-10 2022-05-13 苏州浪潮智能科技有限公司 Token construction method, device and equipment for cloud platform resource access control
CN112528262A (en) * 2020-12-10 2021-03-19 平安科技(深圳)有限公司 Application program access method, device, medium and electronic equipment based on token
CN113656774B (en) * 2021-08-17 2024-06-21 维沃移动通信(杭州)有限公司 Unlocking method and unlocking device of electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411825A (en) * 2015-08-03 2017-02-15 天脉聚源(北京)科技有限公司 WeChat access token acquisition method and system thereof
US20180139192A1 (en) * 2016-11-15 2018-05-17 Vmware, Inc. Adaptive Token Cache Management
CN109802941A (en) * 2018-12-14 2019-05-24 平安科技(深圳)有限公司 A kind of login validation method, device, storage medium and server

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9183509B2 (en) * 2011-05-11 2015-11-10 Ari M. Frank Database of affective response and attention levels
CN103634316A (en) * 2013-11-26 2014-03-12 乐视网信息技术(北京)股份有限公司 Account login method and electronic equipment
CN105450587B (en) * 2014-07-28 2018-08-24 国际商业机器公司 Method and apparatus for protecting Network Communicate Security
CN104901933B (en) * 2014-08-12 2016-08-17 腾讯科技(深圳)有限公司 Current voucher distribution method, device, subscriber equipment, application server and system
CN104239772B (en) * 2014-08-25 2018-07-06 联想(北京)有限公司 A kind of information processing method and electronic equipment
CN107425977B (en) * 2017-04-28 2018-07-31 北京海泰方圆科技股份有限公司 Dynamic token method for synchronizing time and device
US20190114637A1 (en) * 2017-10-13 2019-04-18 John D. Rome Method and system to unlock account access via effort metrics
CN108900559B (en) * 2018-09-26 2022-08-05 平安普惠企业管理有限公司 Login certificate management method and device, computer equipment and storage medium
CN109379193B (en) * 2018-12-06 2021-06-29 佛山科学技术学院 Dynamic replay attack prevention authentication method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411825A (en) * 2015-08-03 2017-02-15 天脉聚源(北京)科技有限公司 WeChat access token acquisition method and system thereof
US20180139192A1 (en) * 2016-11-15 2018-05-17 Vmware, Inc. Adaptive Token Cache Management
CN109802941A (en) * 2018-12-14 2019-05-24 平安科技(深圳)有限公司 A kind of login validation method, device, storage medium and server

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113179191A (en) * 2021-04-01 2021-07-27 众安信息技术服务有限公司 Network performance monitoring method and device and electronic equipment

Also Published As

Publication number Publication date
CN110445615B (en) 2021-08-31
CN110445615A (en) 2019-11-12

Similar Documents

Publication Publication Date Title
WO2021008034A1 (en) Method and apparatus for network request security verification, and computing device and storage medium
US11431702B2 (en) Authenticating and authorizing users with JWT and tokenization
US11303449B2 (en) User device validation at an application server
CN111274268B (en) Internet of things data transmission method and device, medium and electronic equipment
WO2018177124A1 (en) Service processing method and device, data sharing system and storage medium
KR101850677B1 (en) Method and system for determining whether a terminal logging into a website is a mobile terminal
US11632247B2 (en) User security token invalidation
CN111277573A (en) Resource locator with key
WO2002006964A1 (en) Method and apparatus for a secure remote access system
CN109379193B (en) Dynamic replay attack prevention authentication method and device
JP4011285B2 (en) INSTALLATION SERVER DEVICE, INSTALLATION SERVICE METHOD, AND INFORMATION RECORDING MEDIUM
CN109951546A (en) Transactions requests processing method, device, equipment and medium based on intelligent contract
CN113225351B (en) Request processing method and device, storage medium and electronic equipment
WO2014152076A1 (en) Retry and snapshot enabled cross-platform synchronized communication queue
CN112968910B (en) Replay attack prevention method and device
CN107294931B (en) Method and apparatus for adjusting restricted access frequency
EP3033866B1 (en) Secure transfers of files within network-based storage
CN109428924B (en) Application online state maintenance method, access layer assembly, application system and equipment
CN112905990A (en) Access method, client, server and access system
CN116961918A (en) Token acquisition method and device
CN116723247A (en) Micro-service calling method, device, equipment and storage medium
CN113225348B (en) Request anti-replay verification method and device
KR101579525B1 (en) Web service adapter and integrated sns gateway having therof
CN117156474B (en) Remote intelligent operation and maintenance system and operation and maintenance method thereof
CN114584556B (en) File transmission method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19937827

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 23/05/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19937827

Country of ref document: EP

Kind code of ref document: A1