3

I have a PHP webservice that I need to add exclusive access to. This I could do with md5sums or similar, but my problem is that I also have a website that calls the webservice from javascript. So any keys, md5sums, and what I can think of can be read in the javascript and does not provide much security. For example an url like http://my-webservice.com?supersecretkey=omg is easy to read in the javascript and replicate.

What would be the best approach? Sessions? Oauth? I have researched a bit, but I keep running into the problem that most examples are not so that they can be called from javascript.

naxoc
  • 154
  • 6
  • Limit the `omg` to IP of website calling your service. But what I don't get, how is this (what you are doing) possible if JS is not cross domain? – Dejan Marjanović Apr 07 '11 at 16:32
  • If I make it known how to call the webservice (if people look in the JS on my site) how to call the webservice, then they can call it with any http call. It does not have to be JS. – naxoc Apr 08 '11 at 09:19
  • I am not sure I get what you mean with limit the GET variable omg to an IP? – naxoc Apr 08 '11 at 09:20

2 Answers2

1

For something like this, I would go with HMAC:

http://en.wikipedia.org/wiki/HMAC

Securing a javascript client with hmac

Community
  • 1
  • 1
Chris Eberle
  • 47,994
  • 12
  • 82
  • 119
1

I think you should rethink your architecture here. Calling secure web services with javascript is not the way to go. Maybe create server resources that can authenticate the javascript call and perform the necessary data query and return it to the javascript function in Json.

Also bear in mind that not everyone has javascript enabled in their browser, so it might be good to change to a server based call altogether.

Niklas Wulff
  • 3,497
  • 2
  • 22
  • 43
  • How would I go about creating the server resources that can authenticate the javascript call? This was my question :) It is an ajax call that expects JSON. – naxoc Apr 08 '11 at 09:22
  • Ok, I might have misread the post. What I meant was that you shouldn't rely on javascript for security. In the http request sent in via ajax you can look for authentication cookies, for instance. That of course implies that you authenticated the user before, and stored a cookie. – Niklas Wulff Apr 08 '11 at 10:59