3

I am currently in the process of designing architecture which allows my client websites to communicate with a master RESTful API secured by Basic Authentication on another server using a cross origin header.

When users register on one of the websites the form is posted to a PHP file that then creates a stream and posts the data over to the API on the master server (both servers are SSL secured).

The issue comes after this. With each request to the API I need to re-provide the users' username and password in order to successfully authenticate them through Basic Authentication.

How can I safely store the username and password of the user so that I can continue to provide the client website with access to the API whilst the user makes changes to their account?

Would it be considered secure enough to store an encrypted username and password in session variables? Users will be passing sensitive information such as a credit card number through to the master API so security is top priority.

Abhinav
  • 8,028
  • 12
  • 48
  • 89
jskidd3
  • 4,609
  • 15
  • 63
  • 127

1 Answers1

1

If you really really need to store the user name and password in the SESSION. Then encrypt both the username and Password with a server-side key.

This server side key will be in a file in your server BUT NOT IN THE ROOT FOLDER, outside the root folder and you can decrypt while you are sending the credentials to the API.

So, even if your sessions are hijacked, it wont be easy to crack the credentials wothout the server side key.

May be you want to have a look at these links

Creating a secure REST API

SO - PHP Session Security

Community
  • 1
  • 1
Abhinav
  • 8,028
  • 12
  • 48
  • 89