Hello all!
I'm programming a customer loyalty and social network system engine that must provide an API for other web sites (these websites would basically be using our transaction and member admin system).
Anyway. I need some advice for the implementation of web services and security. I'm thinking of doing some sort of IP vs Token validation, but I havent seen anything like it on PHP. Has anyone done such thing or something similar? Could you give me some pointers on what to use?
Im also not too sure about using web services for all API connections. Do any of you know of other ways to allow clients to connect to my API?
Thanks in advance for all your help.
PHP API, web services and security questions
Moderator: General Moderators
Re: PHP API, web services and security questions
I haven't personally built an API to what you're asking, but a few things I would do given this assignment would be the following:
1) See how companies like Google, Yahoo, Facebook, etc manage their API's. In other words, find out how you use them, what is required, etc.
2) Most of these companies use either a combination or single javascript call, or SOAP request.
3) Some require an XML configuration file that is passed via javascript.
4) Tokenizing is a great feature to use. You'll want to encrypt it with md5 or sha2 for a quick lookup either in MySQL or some other form.
5) IP is good, however it's not going to be consistant. I used my own authentication proceedure that would do a basic IP match of a user via a $_SESSION cookie that stored their IP. However, NAT routers will cause their IP to change even though they are only seconds apart from requests. This was a difficult problem to solve, but hopefully it will prevent the issues before you start trying.
I'm sure there are many other suggestions and solutions. This can at least be a starting point. Hope it helps.
1) See how companies like Google, Yahoo, Facebook, etc manage their API's. In other words, find out how you use them, what is required, etc.
2) Most of these companies use either a combination or single javascript call, or SOAP request.
3) Some require an XML configuration file that is passed via javascript.
4) Tokenizing is a great feature to use. You'll want to encrypt it with md5 or sha2 for a quick lookup either in MySQL or some other form.
5) IP is good, however it's not going to be consistant. I used my own authentication proceedure that would do a basic IP match of a user via a $_SESSION cookie that stored their IP. However, NAT routers will cause their IP to change even though they are only seconds apart from requests. This was a difficult problem to solve, but hopefully it will prevent the issues before you start trying.
I'm sure there are many other suggestions and solutions. This can at least be a starting point. Hope it helps.
Re: PHP API, web services and security questions
The current standard for for cross domain authentication is OAuth - http://oauth.net/ which uses a token-store approach
The other method is http(s) basic / digest authentication in which you submit credentials directly (hopefully over a secured protocol) and establish a session against it
The other method is http(s) basic / digest authentication in which you submit credentials directly (hopefully over a secured protocol) and establish a session against it
Re: PHP API, web services and security questions
I read about oAuth a couple weeks ago and I thought about using that, but I havent found much help on Implementing it for PHP + Web Services Do you know of any tutorials or guides I could follow? I tried google but havent found much.
PHP's SOAP implementation isnt very good. Do you know of any framework I could use for PHP and SOAP?
PHP's SOAP implementation isnt very good. Do you know of any framework I could use for PHP and SOAP?
Re: PHP API, web services and security questions
I'd forget about SOAP if I were you, it's extremely verbose and tiresome. Most large API providers rely on JSON / lightweight XML for data transport, combined with RESTful URIs for the API structure.
As for OAuth, there are several libraries and plenty of tutorials if you ask google
http://www.google.com/search?q=oauth+php+library
As for OAuth, there are several libraries and plenty of tutorials if you ask google
http://www.google.com/search?q=oauth+php+library
Re: PHP API, web services and security questions
Any pointers on getting started using JSON over PHP for service providing? I googled some terms, but I dont seem to get the kind of thing Im looking for.
Thanks a lot for all the responses! You guys are being very very helpful.
Thanks a lot for all the responses! You guys are being very very helpful.