Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’d like to accept requests from a php app to my web service. How can I verify that requests made to the web service come from the php app (or indeed any authorised source) and are not forged?
My web service relies on the received requests being from allowed domain(s) and not from some bot that’s sending data and portending to be from that domain.
Well, verify their identity and reject when its wrong or missing.
Actually, what you’re thinking here is checking the HTTP referrer. This happens to be one of those fields that is easily spoofed. so you shouldn’t really rely on that to be the ultimate test of validity. instead, I’d do the following:
start by googling / researching these topics:
So, basically, a lot of the time you’ll read about APIs that work this way, essentially:
a client does an initial authentication API method somehow, which will generate a temporary auth token (which follows a format usually, ie md5(userID+timestamp+authlevel+etc+etc) ). Then you include your auth token in the header in all of the subsequent requests that are made to other API methods. then your API first validates that token, and if it is valid, it executes the method
for tutorials / info about good API development, you should go check out APIGEE