0

My website returns a JSON string contains database result when you call the URL through ajax. It's actually public. I mean everybody can send an ajax request to my website and simply get the result neatly (currently my website acts like a free API).

Now all I'm trying to do is authenticating all requests and just response the known ones. So I think I need to pass a token with along each request for identification.

My question: How should I make that token (that no one else can)? And how should I identify that token on server side?

Martin AJ
  • 6,261
  • 8
  • 53
  • 111
  • might be a usefull read, as the question is quite broad: http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication?rq=1 – Jeff Mar 25 '17 at 14:25
  • Force users to authenticate before making requests to your API. – Jeremy Thille Mar 25 '17 at 14:28
  • @JeremyThille In this case my website needs to authenticate too. I don't know how should I do that. – Martin AJ Mar 25 '17 at 14:29
  • What do you mean, your website needs to authenticate? Users do, not websites – Jeremy Thille Mar 25 '17 at 14:32
  • @JeremyThille well my website needs to get the response of an ajax request to show it at a page. All I need to do is making a different between my website's requests and the requests other sends. – Martin AJ Mar 25 '17 at 14:34
  • Yes, hence my reply : authorise API requests only to authenticated users. You have to write an authentication process, store users in a database, make an authentication procedure, check if they exist in the base, cache them to avoid overloading your DB at every API request, etc. – Jeremy Thille Mar 25 '17 at 14:39
  • Check for a cookie, the cookie can only come from your server ... http://stackoverflow.com/questions/2870371/why-is-jquerys-ajax-method-not-sending-my-session-cookie ... this alone does not authenticate the user, but it will stop casual bandwidth pirates. Log the IPs and you can see if you actually have any. – Wayne Mar 25 '17 at 14:55
  • There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue which can be answered in a few paragraphs. I would suggest you find a development forum (perhaps [Quora](http://www.quora.com/Computer-Programming)?) to work out generalities. Then, when/if you have specific coding issues, come back to Stack Overflow and we'll be glad to help. – Jay Blanchard Mar 27 '17 at 11:48

2 Answers2

0

If your "website" and the "app" that calls your website reside on the same domain. Then this can be done server side.

First CORS will stop any java-script app from replicating your client code on another server and calling, or the lack of.

Second. On your server just check that all incoming calls are from the same HOST or the host you want to permit. This would reject any calls that did not originate from the same domain - which you control.

I don't know what language you are using so i can't post code.

MartinWebb
  • 1,998
  • 1
  • 13
  • 15
  • *"On your server just check that all incoming calls are from the same HOST or the host you want to permit."*. How can I do that by PHP? – Martin AJ Mar 25 '17 at 20:04
  • You need to check $_SERVER["HTTP_REFERER"] and reject the request if it does not match your domain. – MartinWebb Mar 25 '17 at 21:11
  • That will stop anybody from accessing the API from a third party URL. – MartinWebb Mar 25 '17 at 21:11
  • You know, the result of `$_SERVER["HTTP_REFERER` is empty, not my domain name. – Martin AJ Mar 25 '17 at 21:15
  • I'm not a fluent PHP programmer - but this link should SO should help http://stackoverflow.com/questions/5410238/how-to-check-if-a-request-if-coming-from-the-same-server-or-different-server – MartinWebb Mar 25 '17 at 21:18
0

I suggest you use jwt to authorize. U can achieve this by requiring that a user log in first and respond with a token on successful request. This token will then be used for subsequent requests

Justus Ikara
  • 172
  • 9