I’m sitting here and working on a small project, in this case it’s between PHP and Obj-c.
What is best practice for secure authentication between these?
something like
myhost?do=login&user=my_username&password=my_password
feels a bit unsecure since the username and password is posted open.
I guess i could do some SSL for this(?), but does any one have another good example for a good solution?
My thought is that a login sets a auth_key to the user table (MySQL) and if the above GET-variables are correct, it will return userid and this auth key. Then on every thing i do against the PHP, this auth key is updated and returned to the user (obj-c program) and everything that is done on the server is authenticated against this key, this just for not “showing” the password every time and when a key is used, it’s useless since it’s renewed…
This, however, can’t stop anyone for doing this manually since the key is recieved and updated on a login.
Any ideas for making this more secure, or am i just paranoid?
The distinction between GET and POST doesn’t actually matter – both are HTTP requests, and as long as you don’t encrypt your data, the plain body of the request can be sniffed.
Of course a login should be as a POST req, but just because it is not idempotent, and may have side-effects [db writing, session start, and so].
You may just want to switch to SSL over HTTPS protocol to be sure your data is safe.
As a [really] minimum protection, you may use Basic HTTP Auth, which encodes login credential in Base64 before sending them – you can do this easily with RestKit.