Secure rest api for application

Possible Duplicate:
Best Practices for securing a REST API / web service

I'm making a desktop application and in this application i will be able to create / read / update / delete data in a database. For this actions i made a php REST api so i can simply get a full list with /api/users and select user 1 with /api/users/1 . I think it's a 'good' way to do this, if you know better ways you can tell me ofcourse.

Now the problem is i want first to login to the application, so i login and can send data but how to authenticate?

I'm using c# + php REST api. And for security i think i want to know a user is authenticated every request. With a REST api i can sent some data very easy to the server but how to secure this on a proper way?

i hope my question is clear.


If you're trying to create your own REST api and not work off of an existing framework, I would suggest a simple login system that returns an authentication key of some sort.

Suppose your application makes an api request to login, you would validate the user's login/password, and return back a key that will be used for subsequent requests.

Ideally you would want your api key to expire after a certain period of time (like a session cookie) and force the user to re-authenticate to avoid potential issues with session hijacking.


You got couple of solutions. One is to use HTTP authentication, which is feature built-in in httpd, so all you need is set it up in .htaccess .

Or you can grant any user unique application token (ie 'foo') and each api method would require this application token to be passed as ie 1st argument

or you implement api methods like login and logout and if login against given l/p succeeded then you create session entry for that user and return any unique session id, which as in previous example would be required in every api method

The last one is the best as you get one more layer you control the access and if any l/p is compromised then you can easily block attackers by changing your password to new one. And you know more about your users. With just the application token you do not know how many unique users can be

链接地址: http://www.djcxy.com/p/71340.html

上一篇: 在Http标题中使用Json字符串

下一篇: 保护应用程序的休息API