How to secure a site and internal API?

Question

Excuse me if the title is plain idiotic with respect to the contents.

We were debating a model for an interaction-heavy site in which there will be

site.com
api.site.com

on the same server. the site.com is powered by PHP and api.site.com will be powered by an alternative web framework. The same or different servers answer the two domains.

The rendered site makes AJAX calls to api.site.com.

---

Securing this is easy if the application were 'all PHP'. The session feature can prevent HTTP requests that allow:

• an unlogged stranger from accessing a user's data
• a legitimately logged-in user from requesting another user's data

Question 1: How do you secure the internal API so that we can be sure about the legitimateness of each request?

---

I have googled up AJAX and same origin policy, but I didnt get far with them.

I am thinking randomly generated 'tokens' that will be acknowledged by both domains.

Question 2: Is there a specific name for this model?

Answer 1

You should take a look at JSONP. jQuery has a good example on it: http://api.jquery.com/jQuery.getJSON/

You need to add jsoncallback=? to the URL to make it work.

$.getJSON("http://api.flickr.com/services/feeds/photos_public.gne?jsoncallback=?"

With this, you can avoid the Same origin Policy

The jsoncallback will be a timestamp, which should be echo-ed by the PHP script which outputs the JSON like this:

jsonp1277656587731(/* rest of the JSON here */);

With the number here ofcourse being the randomly generated string, or timestamp in case of jQuery JSONP