One problem you have with that is an API key can be intercepted very easily over the wire and used. Combined with an n-once setup makes that far far harder. Basically all an an n-once is is a salt. You generate a random string ( something like md5(microtime()) for example), then use that to salt your api key while hashing it:
$salted_key = md5($api_key . $nonce_salt); Then when you send your request, you include the salt you used as part of the headers as well. Hashes are not reversible so your key stays safe. On Mon, May 30, 2011 at 4:32 PM, iturri.cf <iturri...@gmail.com> wrote: > You can use an "API key" instead a username-password, and send it with > every request as a custom HTTP header. > You can read an example from > http://www.symfony-project.org/more-with-symfony/1_4/en/10-Symfony-Internals > : > "Using the request.filter_parameter event > > Let's say you're operating a website exposing a public API to your > users. The API is available through HTTP, and each user wanting to use > it must provide a valid API key through a request header (for example > X_API_KEY) to be validated by your application. This can be easily > achieved using the request.filter_parameter event:..." > > I hope it helps > > Cristian Iturri > > On 30 mayo, 06:48, Gareth McCumskey <gmccums...@gmail.com> wrote: > > Web services are considered stateless requests. There is no "client side > > browser" to manage storing a cookie to allow for stateful sessions. A > better > > solution is to include the authentication with every request made and > then > > verify the credentials on the server side with each request. With a REST > > service for example, you can include these as custom HTTP headers with > nonce > > salts to encrypt the password itself as it is sent over the wire for > > security reasons. A very similar mechanism can be used for SOAP where an > > authentication header tag is sent with each request. > > > > This is really the only way to successfully have authentication-based web > > services. > > > > On Sat, May 28, 2011 at 4:04 PM, Filipe Dias > > <filipediasferre...@gmail.com>wrote: > > > > > > > > > Hi all, > > > > > I'm developping an application as an API: making requests returns > > > simple xml or json files, but I need to save some properties in > > > session. > > > All available documentation is form login oriented. I got > > > authentication getting a connection to a database, using doctrine > > > ORM. > > > If is a valid login, result will be a xml/json with success as > > > content. > > > > > Login is accessed > likehttp://server/login/<username>/<password>/<format> > > > logout likehttp://server/logout/<format> > > > and acount likehttp://server/account/<resource>/<format>. > > > > > So i got a problem: I can't handle with session storage of symfony, > > > because in each request I got a new session id; > > > > > Does anyone know: > > > 1. how I can get a ROLE_USER (or similar) after received a success > > > login > > > 2. how I can get all information from session when I access to the > > > account with a valid login > > > 3. how I can invalidate session in logout resource. > > > 4. Which Is the best configuration in security for this situation!? > > > > > Cheers, > > > Filipe Dias > > > > > -- > > > If you want to report a vulnerability issue on symfony, please send it > to > > > security at symfony-project.com > > > > > You received this message because you are subscribed to the Google > > > Groups "symfony users" group. > > > To post to this group, send email to symfony-users@googlegroups.com > > > To unsubscribe from this group, send email to > > > symfony-users+unsubscr...@googlegroups.com > > > For more options, visit this group at > > >http://groups.google.com/group/symfony-users?hl=en > > > > -- > > Gareth McCumskeyhttp://garethmccumskey.blogspot.com > > twitter: @garethmcc > > identi.ca: @garethmcc > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony users" group. > To post to this group, send email to symfony-users@googlegroups.com > To unsubscribe from this group, send email to > symfony-users+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/symfony-users?hl=en > -- Gareth McCumskey http://garethmccumskey.blogspot.com twitter: @garethmcc identi.ca: @garethmcc -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
