Reputation: 10634
What is the best way to securely process authentication checks Cross domain using REST/JSON/PHP/AJAX
I am using PHP/CodeIgniter and Tank_Auth library for authentication both on site.com and via the API, and a very basic REST API from Phil Sturgeon.
Right now when a user fills in username/password on Site1. It makes an API call like so:
http://site2.com/api/index/authenticate?username=jdoe&password=123456
On Site2.com: index/authenticate uses tank_auth library to compare username/password to what is stored in the database.
My Question: Is there a standard to encrypt the password during submission and then decrypt on the other side? Or would an SSL certificate be sufficient?
Upvotes: 1
Views: 428
Answers (1)
Reputation: 906
how about creating a hash of the 2 with some "salt", pass that in the query string, then make sure it matches by running the same hash on the 2nd server.
http://site2.com/api/index/authenticate?username=jdoe&password=123456&cs=fds34wsef3ewtdfgw54ty43wg
make sure you keep the salt secret... not too sure about passing this in GET, especially passwords - maybe you could pass a separate id hash instead of the password. Definitely use POST though, and ideally SSL. The more you can obfuscate,encrypt the more secure this will be
Upvotes: 1
Related Questions
- Methods of Securely sending data/ authenticating across domains
- Securing API calls from cross domain using RESTful service
- jQuery AJAX Cross Domain with BASIC Authentication
- REST authentication, Best approach
- Is there any secure way to allow cross-site AJAX requests?
- HTTP Authentication and REST
- How to authenticate using cross domain query
- Restful Authentication Through Ajax
- Authenticating across domains : How to?
- proper way to craft an ajax call with php and auth