Clever Geek Handbook

Webservice Authentication

I am working on a webservice + AJAX frontend and I am worried about authentication. At this point, I am passing the username and password to the web service as arguments, but I am afraid this approach is highly insecure. I was told that ssl can solve my problem, but I need more alternatives.

My webservice is written in php and my frontend is in php + AJAX. Webservice takes arguments from POST or GET and returns xml (in the future, I will probably use JSON)

+1


source to share


4 answers


An AJAX request is no different from a normal request.

Since you have an AJAX interface, I am guessing that you might have a page that users log on to. When they register a cookie in the browser. This cookie can be sent back with every AJAX request.



Your PHP script can "authenticate" an AJAX request with a cookie in the same way as with regular requests.

+1


source


There are various standards like ws-trust, ws-security, ws-federation, etc. that you could rely on to secure your web services.

You can also sign headers with security information.



The following blog details the authentication mechanism for web services using php. http://phpwebservices.blogspot.com/

+2


source


If I understand the question, you have 1) AJAX messages for PHP, 2) PHP is calling a web service. You must have an SSL certificate for step 1. For step 2, the SSL certificate on the web service machine will also be secured. An alternative would be to create a secure VPN between the web server and the web services server.

0


source


SSL with user credentials is about as secure as you can get. You must determine what concerns your safety. What package will the user sniff? What is SSL for. What will an unauthorized user get access to? This will depend on the security of the passwords.

One thing you can do is create a lease system where you pass a unique encrypted ID that needs to be conveyed in a message and that expires after a transaction or after a short amount of time. This lease code can be extracted into a hidden div on the page (to avoid the sandboxing problem above) and then inserted into each subsequent Ajax request.

0


source






More articles:


All Articles