Reputation: 12413
Restful Authentication Through Ajax
I am implementing a restful api and I wondering is it possible to securely authenticate using ajax without exposing the authenentication credientials? The credentials that will be used are the same ways that will be passed using curls:
curl_setopt($ch, CURLOPT_USERPWD, 'username:password');
The will be received using:
$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_USER'];
$_SERVER['PHP_AUTH_PW'];
Is this possible and if so, how?
Upvotes: 1
Views: 802
Answers (1)
Reputation: 62412
No. This is the exact purpose and use case for implementing Oauth.
Using Basic HTTP Authorization will expose the credentials especially from ajax, because even if you run everything through HTTPS, it will still be available in the client code (before any request is made).
If you are using this api internally only (not expecting third party developers to utilize it), you might attempt to use a "API Key" instead of the plain text username and password. This way the key can be regenerated if ever compromised, and never expose your users (likely) reused passwords.
I've found that API key + HTTPS covers a lot of situations like this.
You just generate a unique hash and then use that to authenticate the user... the Basecamp API uses the API key as the username.
curl_setopt($ch, CURLOPT_USERPWD, '<API KEY>:x');
Upvotes: 3
Related Questions
- How to provide a secure authorization with ajax?
- Authorization and Authentication to REST API from JavaScript Client
- How to authenticate an AJAX request to a PHP file?
- REST user authentication
- Authentication using AJAX & PHP
- HTTP Authentication and REST
- How to use PHP-based authentication from non-PHP based AJAX app?
- How to authenticate AJAX call?
- proper way to craft an ajax call with php and auth
- Sending login information via AJAX