Authentication in client-server via a URL with JSON response

Question

I wish to implement a two-way communication channel between a client and a server, over HTTPS. The client communicates via URLs, such as http://example.com/method/param1/param2 and the server responds via JSON.

I wish to implement this in PHP. however, I am not sure how to do this with authentication.

I could simply authenticate the user with a login and password, and send a key back. The user could use this temporary key to communicate. The key expires after a certain period. However, I would like to know if this is the industry standard?

Answer 1

I think no exist a standard but the OWASP propose a session-based authentication. You send a token to the user when the user authenticate why user and password or apikey and the token allow user use the API, note: user password and apikey can't show in the URL.

Reference: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

Authentication and session management

RESTful web services should use session-based authentication, either by establishing a session token via a POST or by using an API key as a POST body argument or as a cookie. Usernames, passwords, session tokens, and API keys should not appear in the URL, as this can be captured in web server logs, which makes them intrinsically valuable.

OK: https://example.com/resourceCollection//actionhttps://twitter.com/vanderaj/lists

NOT OK: https://example.com/controller//action?apiKey=a53f435643de32 (API Key in URL)http://example.com/controller//action?apiKey=a53f435643de32  (transaction not protected by TLS; API Key in URL)