Storing user password in PHP for RESTful API authentication
I am currently in the process of designing architecture which allows my client websites to communicate with a master RESTful API
secured by Basic Authentication on another server using a cross origin header.
When users register on one of the websites the form is posted to a PHP file
that then creates a stream and posts the data over to the API
on the master server (both servers are SSL secured).
The issue comes after this. With each request to the API
I need to re-provide the users' username and password in order to successfully authenticate them through Basic Authentication.
How can I safely store the username and password of the user so that I can continue to provide the client website with access to the API whilst the user makes changes to their account?
Would it be considered secure enough to store an encrypted username and password in session variables? Users will be passing sensitive information such as a credit card number through to the master API
so security is top priority.
If you really really need to store the user name and password in the SESSION
. Then encrypt both the username
and Password
with a server-side key
.
This server side key
will be in a file in your server BUT NOT IN THE ROOT FOLDER , outside the root folder and you can decrypt
while you are sending the credentials to the API
.
So, even if your sessions are hijacked, it wont be easy to crack the credentials wothout the server side key
.
May be you want to have a look at these links
Creating a secure REST API
SO - PHP Session Security
链接地址: http://www.djcxy.com/p/33792.html