0

i have created api's to access from ios app.there are login and registeraion page also. when user access the api, from ios code userid of user is send as post. if user id matches in database then user is allowed to proceed with api call otherwise 'invalid request' message is shown to user.

should i proceed with this approach or when user login then at php server i need to store user info in php session and insstead of sending userid each time to php i should pick uses id from php session.

could anyone help me the better approach with reasons. i find no use of maintaining session at php server. session is mentaioned at ios side.

Monika Yadav
  • 381
  • 2
  • 12

2 Answers2

1

What you describe is a very insecure way to authenticate people:

  • everyone who sniffs the conversation can afterwards use the api.

  • one could even very easily do a brute force attack, you just have to try all possible names which will probably take only a few minutes for a moderate length of names.

So you should implement some sort of challenge to secure the authentication. The easiest (though least secure) is an additional password. And you have to encrypt the conversation between client and server.

That done you certainly want to use sessions on the server side. A session allows to authenticate the user only once. That saves quite a lot of hassle for subsequent requests.

The only alternative yet clean way I can think of is to use client side ssl certificates which authenticate the client against the server. This is very secure, but you need to create and install a certificate for each client.

arkascha
  • 41,620
  • 7
  • 58
  • 90
1

You are basically looking for an authentication method for securing your web services API.

Try implementing OAuth as it is one of the most secured way to provide API access to other clients.

It basically works like this.

For every user registered with you, who needs API access you generate a Auth Token for them. Then they need to register a client application with you for which you generate a secret key and token. When the client app sends the request, the first request must have the secret key and the auth token in the request which your app must verify and send out the acknowledgement token. You can then make the subsequent requests securely.

The above is just a gist of oauth. For much better and detailed implementation follow the links below.

http://www.slideshare.net/mohangk/securing-your-web-api-with-oauth

http://techblog.hybris.com/2012/06/11/oauth2-resource-owner-password-flow/

How to get started with OAuth to secure a Web API application?

Community
  • 1
  • 1
swordfish
  • 4,899
  • 5
  • 33
  • 61