background preloader

PHP

Facebook Twitter

Designing a Secure REST (Web) API without OAuth. Situation You want to develop a RESTful web API for developers that is secure to use, but doesn’t require the complexity of OAuth and takes a simple “pass the credentials in the query” approach… or something equally-as-easy for people to use, but it needs to be secure. You are a smart guy, so you start to think… Problem You realize that literally passing the credentials over HTTP leaves that data open to being sniffed in plain-text; After the Gawker incident, you realize that plain-text or weakly-hashed anything is usually a bad idea. You realize that hashing the password and sending the hash over the wire in lieu of the plain-text password still gives people sniffing at least the username for the account and a hash of the password that could (in a disturbing number of cases) be looked up in a Rainbow Table.

That’s not good, so you scratch your head some more… “Still not quite right!” Solution So you keep searching for articles on “secure API design“… That seems pretty straight forward. WebService. Marcj/php-rest-service. A Better Login System. Net.tuts+ has published several great tutorials on user login systems. Most tutorials only deal with authenticating the user, which allows for two levels of security: logged in and not logged in. For many sites, a finer degree of control is needed to control where users can go and what they can do.

Creating an access control list (ACL) system will give you the flexibility for granular permissions. Introduction Imagine you are running a great tutorial site that lets users learn about a wide variety of web development techniques. Your problem You want to restrict users' to only specific pages that their particular account allows access to. The solution Implementing an access control list will allow you a great deal of control over what users can and cannot access on your site. If you view the demo, available with the downloadable source code, you will be greeted with an index page that tests the ACL for each user. Step 1: Create the Database Step 2: Database Include Step 3: Create the ACL Class. Simple Secure Login Script. Frameworks. PHP Design Patterns (domnikl)