只要您不在 REST API 服务器上存储会话状态，只在您的客户端 web 应用程序上，从架构的角度来看似乎都不错.

As long as you're not storing session state on the REST API server, only on your client webapp, it seems fine from an architectural point of view.

如果您确实必须使用用户名和密码并且无法获得一次性令牌，则可以使用服务器端密钥对其进行加密，并在将它们发送到 API 时即时解密，因此即使有人可以劫持一个会话，他们无法在没有服务器端密钥的情况下获取用户名和密码，但无论如何，您应该更加小心泄露您的 php 会话.

If you really must use the username and password and can't get a disposable token, you may encrypt them with a server-side key, and decrypt on-the-fly when you send them to the API, so even if someone can hijack a session they can't obtain the username and password without the server-side key, but you should be a lot more careful with leaking your php session anyway.

PHP 会话安全.

按照该问题的答案中列出的步骤进行操作，但您应该将 HTTPS 用于用户与 Web 应用程序之间以及 Web 应用程序与 REST API 之间的所有交互.

Follow the steps outlined in the answer for that question, except that you should use HTTPS for all interactions, between the user and the webapp, and between the webapp and the REST API.