0

I am new to PHP :). I am creating a REST API with PHP which would be used by mobile clients(Android and IOS). Currently the PHP website(yii) allows users to login with username and password(hashed and stored in DB). The way I think of implementing this is, I can have a login REST api call that authenticates the user and generates a token(some random number or sessionid) and sends a hash of that token to the client. The client then can pass that token on the http header everytime on the REST api call and the api methods will validate this on every call?

Now,

  1. I want to know if there are any disadvantages of this approach?
  2. Also are there any PHP examples of how to do this?
  3. How does this token ensure security? Can someone sniff this token and send it in the request and the server will still allow it? Or Assuming i expire the token with time, should the mobile again authenticate to get a new token?
Jake N
  • 10,535
  • 11
  • 66
  • 112
appcoder
  • 639
  • 1
  • 9
  • 19

1 Answers1

0

My answer isn't going to be the only one and I am sure you will get a lot of feedback on such a question.

First the hash. I wouldn't suggest doing it this way. The hash can be snitched in route by man in the middle attack etc. Generally sensitive information in the URL is a bad idea.

Why not use a common session? Authorize on the first call... then the session have been created on the server and the caller... this way you ensure that requests coming next is authorized.

The user/service/server can simply refer to the session cookie created and by doing so be validated. This way is much more secure and doesn't expose sensitive information.

And.. use HTTPS if possible of course... otherwise the information is also acceptable to attacks. It all depends on what level you want security. You can stack layers of security... but that might not make sense if your sending information about cats over the line :)

Ronnie Jespersen
  • 950
  • 2
  • 9
  • 22
  • Okay. How do i pass the session id in the api? And is there a code example for this in PHP? – appcoder Mar 26 '14 at 21:28
  • Well your PHP API application is allready able to create sessions... the importen thing is that the application that is using the API is able to refer to the cookie with the session ID. Using CURL requests you can use a cookie jar. Talked about here http://stackoverflow.com/questions/13020404/keeping-session-alive-with-curl-and-php – Ronnie Jespersen Mar 26 '14 at 21:33
  • Can I use the HTTP_COOKIE header from my mobile client to pass the session id in each request? – appcoder Mar 27 '14 at 01:26
  • I'm not sure since I haven't developed apps. But I would think to. When you access the API the first time your client would get a session ID in the cookie header. From here you need to save that somehow an use in the Request header when asking the API for the second time... hope it makes sense. – Ronnie Jespersen Mar 27 '14 at 08:20
  • Its the same i was thinking, to send a cookie or a token from mobile client, but I wasn;t sure whether its a good design. So posted here for thoughts. – appcoder Mar 27 '14 at 14:35