Reputation: 3304
Web Service Authentication - PHP
I'm creating a simple web service in PHP to serve data to some of our internal applications.
My question is around authentication/security, the implementation of the actual web service isn't a problem.
For security, I'm planning on providing each application that will be consuming the service with a unique, periodically static authentication code that they use when call into the service. The service code then checks an internal list to see if the authentication code being used is a valid one, and provides access to the data if it is.
E.g.
xxx.xxx.com/ws.php?op=getproductnameslist&authcode=329cj32x21xdd332
The service is being served over HTTPS, so transmission of the actual data should be encrypted.
I'd like some comments on the above in terms security concerns, and if there is a better way to do this.
Upvotes: 4
Views: 19137
Answers (1)
Reputation: 859
Securing a WebService is not as simple as passing a get parameter through the URL. Get parameters are logged on HTTP server logs and easily copy/pasted and manipulated.
WebService security is not a simple problem, try to use well know solutions, I would go with OAuth. PHP has a good implementation here http://php.net/manual/es/book.oauth.php
You can also check this post about Web Services security http://www.stormpath.com/blog/secure-your-rest-api-right-way
Upvotes: 5
Related Questions
- Securing a PHP webservice for application access only
- How to handle authentication in PHP REST web service?
- How to secure a php based webservice
- Securing a PHP Web service (SOAP)
- how to write webservice which needs authentication - PHP
- secured web service php/json
- Webservice Authentication
- What is the best way to implement login for a webservice?
- Security when writing a PHP webservice?
- Secure Webservice?