+++ access token คืออะไรใน facebook ++++
😋 ปกติ facebook เปิดให้เว็บ (รวมทั้งแอพ) ที่เราเขียนขึ้น
สามารถใช้ระบบ login ของ facebook ได้
ทำให้เว็บนั้นได้สิทธิเข้าถึงข้อมูลส่วนตัวของ user นั้นๆ บน facebook
....
Continue Reading+++ What is access token on Facebook ++++
😋 Facebook is usually open for web (including apps) that we write up.
Facebook login system can be used
Make that web access to user's personal information on Facebook.
.
And in many sites, we must have seen.
Just have an account on Facebook, you can log in.
No need to waste time. Fill out a new subscription.
:
In this post will quote
Using Facebook Login
Behind that success, Facebook will give away access token
So that any web can manage user login
:
Before talking about access token, let me go back to the age of 2534
When "Timberners-Lee" delivered the world's first website.
It's a common thing that human beings use to be.
:
❣ but my weaknesses.... is in the heart
Hey, it's not the weaknesses of the website.
Well it uses HTTP potocol
Which is stateless. Don't remember any status.
The meaning is that Server is very short of memory. Alzheimer's disease.
When it gets request from browser
I don't remember where it came from???
Who sent it, I can't remember anymore!!!!!
:
🤔 to solve this cuddle nha technically
He will give you a server to send session id (or session token)
Which session id is something we can't read and long
It will be sent to browser. Keep this in the cookie.
.
.. Wrong is not that cookie.. but cookies are text
Server will send session id to browser
Keep the value in cookies (keep text on browser side)
:
Programming time on server side
Like PHP when using session _ start ();
Will tell browser to collect session id in text photos such as
PHPSESSID=tqb4s5q7k25234eabbvs11dp02
(session id is a random code)
:
But if it's another language, it may be seen in other words.
E.g. JSSIONID (JAVA EE), PHPSESSID (PHP), and ASPSESSIONID (Microsoft ASP).
.
😉 Even here session id... may think it's a ID code.
:
From now on when users click on what on the web page
Browser will be kind.
Secretly sending this session id to server automatically
Make the server recover from Alzheimer's.
... I remember where the request sent this... yay yay
.
So if the request sent in
It has the same session id
It's considered the same friends.
(Computer vocabulary says these request is in the same SESSION)
.
What if it's not the same session id
It's considered that request is not the same people.
:
👉 Benefits of session id
Will be used in conjunction with login / logout mechanism
1) When user name XXX comes in, there will be a session id.
2) When another user name YY does login, there will be a session id as a different ID.
3) When both users do logout, it will expire session id.
:
Question if we went to wash all the cookies in browser what would happen?
- answer for session id will be gone.
- So who secretly login is holding this web? What is that... huhu
- I have to logout automatically for new login... So sad. Haha.
(server doesn't remember us anymore
Because browser doesn't send session id)
:
Session id sounds like good
😨 but using user / password to login will have disadvantage such as
1) Easy to hacker to sneak in session
To wear sesion id (Cross-Site Request Forgery: CSRF)
... Technically, let's not talk about it. Read it on the
2) It is a burden for server to remember the session id. What rights you have and remember other information of user etc.
3) If you want to give the same user, login different devices such as
Web is fine. Mobile phone is good... It will be more difficult. (I have to copy session)
4) and other disadvantage not mentioned
:
😘 but he has a technique to solve the way.
.
Well, use what's called "acces token"
To get access token
I have to login with user / password to exchange it.
... We have to stand in the cat before we get access token.
Then we can use it instead of login
.
Keep us from feeding user / password often
And each user will get access token. Different look alike.
When it's time for user to do logout, access token will expire immediately.
:
😙 Here access token may compare like a key
Or maybe you can see it as a ticket or a pass... It's up to the imagination.
Difference from session id is
1) access token will not be kept in cookies
2) access token will collect information that can be revealed.
e.g. user _ id, rights, expiration date
(Not a burden for server to remember these information)
:
If you use access token with login mechanism, you will see the advantages like
1) Prevent hacker from using session by Cross-Site Request Forgery (CSRF)
2) Can login from mobile phone and just use the same user.
Just giving away access token... It's like Facebook.
(Not stored in browser cookies)
3) The server can leave a hassle login / logout duty... Throw it to authenticate service outside.
4) Server doesn't need to take care of user information.
:
😀 Cut back to see login mechanism with facebook user / password
The concept is as shown in the photo that I posted. (as an example of php)
Simple summary
- user time login
- It will sneak a switch to Facebook to do login instead.
- Then Facebook will throw back access token to our web
- Then user will use it as a pass. No need to login again.
:
There are many types of access token of Facebook such as
-User Access Token
- App Access Token
- Page Access Token
-Client Token
Each type has different rights. I can't ask for deep.
:
👉 session id and access token all this story
It's a sweet, fragrant hacker. I like it very much.
If they can steal, they can wear a login user.
Then hacker will get all rights like user... done here
.
Except we logout
To make session id or access token expire
Then the hacker will be out of bogs.
:
In the user corner. Just login.
Don't mind access token behind the scenes
But if it's a #programmer, you need to be extra mindful.
Because even four feet know that the philosopher knows.
The biggest giant. Big brother like Facebook.
Still missed it. Let access token out so that it's a big news.
.
👌 So, programming
Let's be mindful about access token. Don't fall off.
Be safe from hakcker to the best
Good luck to all of you.
:
:
Written by Thai programmer thai programmer
:
+++++++++++++
Reference
1) https://developers.facebook.com/docs/php/howto/example_facebook_login?locale=th_TH
2) https://developers.facebook.com/docs/facebook-login/access-tokens?locale=th_THTranslated
csrf 在 跨站請求偽造- 維基百科,自由的百科全書 的相關結果
跨站請求偽造(英語:Cross-site request forgery),也被稱為one-click attack 或者session riding,通常縮寫為CSRF 或者XSRF, 是一種挾制使用者在當前已登入的Web ... ... <看更多>