0

I was wondering if anyone would know how to validate a username and a password with an API, i'm pretty sure it would be stupid and unsecure to use

http://api.example.com/profile?uname=name&pass=the-password

I hope that anyone would know how to do this in a secure way?

Thanks!

krunos
  • 163
  • 1
  • 9
  • Ajax would do the job for you? Make sure ajax is secure with XSRF token and validates only server side? – Sagar Gulati Jun 21 '16 at 19:03
  • 1
    Do not pass credentials in a get string like that. URLs are written to an access log on your server. You don't want tons of usernames/passwords throughout your logs. Use a header and likely use something established like basic authentication. Also, secure means use https for everything. There are also already established standards for this. Have a look at OAuth 1 or 2. – Jonathan Kuhn Jun 21 '16 at 19:03
  • Okay, well, how to use a header? how you mean? – krunos Jun 21 '16 at 19:05
  • Anyone can set any header they want on a request. How to set the header depends on what they are using to access the API. These are just standard HTTP request headers. On the server, you can check the value of a header as part of `$_SERVER['HTTP_HEADER_NAME']` where `HEADER_NAME` is the name of the request header. – Jonathan Kuhn Jun 21 '16 at 19:07

1 Answers1

2

Using a secure connection, and submitting the Username and Password inside the headers is the best way to accomplish this.

HTTPS ensures that a person cannot simply dissect the packets in-transit. Of course, even in HTTPS, there are many security concerns to throwing sensitive data in the URL (see here: Are https URLs encrypted?). That's why we use the headers.

See here for sending headers via cURL:

How to send a header using a HTTP request through a curl call?

Once you're sending the proper headers, the API will (of course) need to authorize based on these header values.

The most common way to accomplish this, is to make one endpoint that will authorize with your username and password, then send you an authorization token. Then, once that token is received, you simply include the token in each request. I've seen the token used both ways; via headers and via the url. The great thing is, with time-limited access tokens, you can use tokens inside the URL itself. However, I'm an eternal pessimist and would advise one to still carry the token in the header instead of the URL.

At that point, though, the choice is yours (unless you don't control the API).

Community
  • 1
  • 1
Nate I
  • 946
  • 4
  • 10
  • 1
    aside from the domain/server name in the initial connection/handshake, the rest of the url is encrypted via https as it is just a header that includes the path part. You just don't want to include sensitive stuff in the url because that is written to a log file on the server. You don't want a file full of unhashed username/passwords lying around. – Jonathan Kuhn Jun 21 '16 at 19:10
  • @JonathanKuhn Once established, yes, you are correct. I guess I over simplified. See here: http://stackoverflow.com/questions/499591/are-https-urls-encrypted Other concerns like DNS requests also pose a threat, which is yet another reason why you don't include it in the URL. Edited the post to reflect my over simplification / inaccuracy. – Nate I Jun 21 '16 at 19:13
  • I'll take a look on headers :) – krunos Jun 21 '16 at 19:15
  • To more directly answer your question: `curl_setopt($myCurl,CURLOPT_HTTPHEADER,array('Username: ' . $username, 'Password: ' . $password));` – Nate I Jun 21 '16 at 19:18
  • @NateI urls are encrypted with https and never sent for DNS. BUT yes, it's better do NOT to put login/passwords in url to avoid them being logged. – Tom Jun 21 '16 at 21:56