Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am implementing a restful api and I wondering is it possible to securely authenticate using ajax without exposing the authenentication credientials? The credentials that will be used are the same ways that will be passed using curls:
curl_setopt($ch, CURLOPT_USERPWD, 'username:password');
The will be received using:
$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_USER'];
$_SERVER['PHP_AUTH_PW'];
Is this possible and if so, how?
No. This is the exact purpose and use case for implementing Oauth.
Using Basic
HTTPAuthorization will expose the credentials especially from ajax, because even if you run everything throughHTTPS, it will still be available in the client code (before any request is made).If you are using this api internally only (not expecting third party developers to utilize it), you might attempt to use a “API Key” instead of the plain text username and password. This way the key can be regenerated if ever compromised, and never expose your users (likely) reused passwords.
I’ve found that API key + HTTPS covers a lot of situations like this.
You just generate a unique hash and then use that to authenticate the user… the Basecamp API uses the API key as the username.