diff --git a/application/api/controller/Auth.php b/application/api/controller/Auth.php
new file mode 100644
index 00000000..53f44c89
--- /dev/null
+++ b/application/api/controller/Auth.php
@@ -0,0 +1,35 @@
+<?php
+// +----------------------------------------------------------------------
+// | SentCMS [ WE CAN DO IT JUST THINK IT ]
+// +----------------------------------------------------------------------
+// | Copyright (c) 2013 http://www.tensent.cn All rights reserved.
+// +----------------------------------------------------------------------
+// | Author: molong <molong@tensent.cn> <http://www.tensent.cn>
+// +----------------------------------------------------------------------
+
+namespace app\Api\controller;
+use app\common\controller\Api;
+
+class Auth extends Api {
+
+	public function login(){
+		if (!$this->request->post('username')) {
+			$this->data['msg'] = "用户名不能为空！";
+			return $this->data;
+		}
+		if (!$this->request->post('password')) {
+			$this->data['msg'] = "密码不能为空！";
+			return $this->data;
+		}
+
+		$user = model('User')->feild('uid,username,password,salt')->where('username', $this->request->post('username'))->find();
+		if ($user['password'] === md5($this->request->post('password').$user['salt'])) {
+			$this->data['code'] = 1;
+			$user['access_token'] = authcode($user['uid'].'|'.$user['username'].'|'.$user['password'], 'ENCODE');
+			$this->data['data'] = $user;
+		}else{
+			$this->data['msg'] = "密码错误！";
+		}
+		return $this->data;
+	}
+}
\ No newline at end of file
diff --git a/application/api/controller/User.php b/application/api/controller/User.php
index 1ed3168e..b919ea52 100644
--- a/application/api/controller/User.php
+++ b/application/api/controller/User.php
@@ -12,14 +12,9 @@ use app\common\controller\Api;
 
 class User extends Api {
 
-	public function login(){
-		//$this->data['code'] = 1;
-		return $this->data;
-	}
-
-	public function getuser(\think\Request $request){
+	public function getuser(){
 		$this->data['code'] = 1;
-		$this->data['data'] = db('Member')->where('uid', $request->param('uid'))->find();
+		$this->data['data'] = db('Member')->where('uid', $this->request->param('uid'))->find();
 		return $this->data;
 	}
 }
\ No newline at end of file
diff --git a/application/common/controller/Api.php b/application/common/controller/Api.php
index 2c4c784f..b845d60c 100644
--- a/application/common/controller/Api.php
+++ b/application/common/controller/Api.php
@@ -11,30 +11,41 @@ namespace app\common\controller;
 
 class Api {
 
-	protected $data;
+	protected $data = array('code' => 0, 'msg' => '', 'time' => 0, 'data' => '');
+	protected $mustToken = false;     //是否检查用户行为
+	protected $user      = array();    //用户信息
+	protected $client;                //客户端信息
+	protected $request;
 
-	public function __construct() {
-		header("Access-Control-Allow-Origin: *");
-		header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
-		header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization");
-		$header = getallheaders();
-		$this->data = array('code' => 0, 'msg' => '', 'time' => time(), 'data' => '');
-		$isCheck = $this->checkToken($header);
-		$url = request()->module() . '/' . request()->controller() . '/' . request()->action();
-		if (!$isCheck && 'api/index/gettoken' !== strtolower($url)) {
+	public function __construct(\think\Request $request) {
+		$this->setHeader();
+		$this->request = $request;
+		$this->data['time'] = time();
+		if ($this->request->isOptions()){
+			exit('OK');
+		}
+		$header = $this->request->header();
+
+		if (!$this->checkAuthor($header)) {    //检查客户端接口是否可接入
 			$this->data['code'] = '301';
 			$this->data['data'] = '非法请求！';
-			echo json_encode($this->data);
-			exit();
+			echo json_encode($this->data);exit();
+		}
+
+		if ($this->mustToken) {
+			if ($this->checkToken($header)) {
+				$this->data['code'] = '201';
+				$this->data['data'] = '用户登录信息失效，请重登！';
+				echo json_encode($this->data);exit();
+			}
 		}
 	}
 
-	protected function checkToken($header){
-		if (isset($header['Authorization']) && $header['Authorization']) {
-			$token = authcode($header['Authorization']);
-			list($appid, $appsecret, $currentTime) = explode('|', $token);
-			$client = db('Client')->where('appid', $appid)->where('appsecret', $appsecret)->value('id');
-			if ($client && ($currentTime+86400) < time()) {
+	protected function checkAuthor($header){
+		if (isset($header['authorization']) && $header['authorization']) {
+			list($appid, $sign) = explode('{|}', $header['authorization']);
+			$this->client = db('Client')->where('appid', $appid)->find();
+			if ($sign == md5($this->client['appid'].$this->client['appsecret'])) {
 				return true;
 			}else{
 				return false;
@@ -43,4 +54,26 @@ class Api {
 			return false;
 		}
 	}
+
+	protected function checkToken($header){
+		if (isset($header['access_token']) && $header['access_token']) {
+			$token = authcode($header['access_token']);
+			list($uid, $username, $password) = explode('|', $token);
+			$this->user = model('User')->where('uid', $uid)->where('username', $username)->find();
+			if ($this->user && $password === $this->user['password']) {
+				return true;
+			}else{
+				$this->user = array();
+				return false;
+			}
+		}else{
+			return false;
+		}
+	}
+
+	protected function setHeader(){
+		header("Access-Control-Allow-Origin: *");
+		header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
+		header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, access_token");
+	}
 }
\ No newline at end of file