Web Service Authentication - PHP
Question
I'm creating a simple web service in PHP to serve data to some of our internal applications.
My question is around authentication/security, the implementation of the actual web service isn't a problem.
For security, I'm planning on providing each application that will be consuming the service with a unique, periodically static authentication code that they use when call into the service. The service code then checks an internal list to see if the authentication code being used is a valid one, and provides access to the data if it is.
Eg
xxx.xxx.com/ws.php?op=getproductnameslist&authcode=329cj32x21xdd332
The service is being served over HTTPS, so transmission of the actual data should be encrypted.
I'd like some comments on the above in terms security concerns, and if there is a better way to do this.
1 answers
solution1
5 ACCPTED 2014-01-01 15:58:17
Securing a WebService is not as simple as passing a get parameter through the URL. Get parameters are logged on HTTP server logs and easily copy/pasted and manipulated.
WebService security is not a simple problem, try to use well know solutions, I would go with OAuth. PHP has a good implementation here http://php.net/manual/es/book.oauth.php
You can also check this post about Web Services security http://www.stormpath.com/blog/secure-your-rest-api-right-way
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.