0

I want to write a hacking protected web services for PHP. Can anyone give me a example how to write that? How to send the authentication headers and how to manage it in the web service?

Many Thanks,
Naveed

Improve this question

2 Answers 2

Reset to default
1

First. Never write your own authentication.

Second. Save yourself the pain and serve your service up using https. It opens a lot more options for authentication that are both simple and secure. OAuth 2, Client Side SSL Certificates and even plain old Basic HTTP authentication are options if you are enforcing https. Even if you're doing your own token passing, you'll probably want to do so over SSL.

If https isn't an option, you can consider earlier versions of OAuth that don't require SSL.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Actually most of the time I don't get the SSL. Can you please give me an example to use oAuth?
The OAuth link I provided at the end of my answer is a popular OAuth library that shouldn't require SSL. My link actually points to the class on GitHub within the TwitterOAuth PHP library which is likely the most popular example and implementation of OAuth right now.
Its a sad fact that many clients do not understand OpenAuth and do not want it used with their commercial app. They often see it as a "Social Network thing". While it is our job to educate over time, business needs are business needs and clients are clients, so imho "just say no" is not a legitimate answer. We are struggling with this one ourselves at the moment as tackle out first meaningful PHP project. For us at least, this answer just donesn't cut it.
There are many options other than OAuth. Basic Auth, Digest, Client Side Certs, etc.. Authentication is a problem that has been solved by people dedicated to solving that problem. Rolling your own isn't a good practice. If you must do so, enforce HTTPS, pass the authentication credentials in a header, and perform your own authentication at the app layer. This will at least keep it stateless and in line with "RESTful" best practices.
1

Personally, I use a web service to authenticate the user. This web service return the token (a randomized string).

Then the user can call other web services with their specific arguments + the token.

If the token is not valid / expired / ... => I return a message to authenticate else I return what should be returned :)

Hope this help...

Improve this answer

1 Comment

Thanks for your reply. Can you please send me a sample project or the code to deal with the token and create it? Edit: Are these kind of personal authenticated WS are called REST APIs?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.