My idea was to query the web service by simply invoking a URL like:
Code: Select all
fetch.php?module=users&something=elseMy in-head solution goes something like:
1. Create a private key shared by both apps
2. Send request to server with url like
index.php?ts=736377469876&nonce=NJM9hjHJND7S66tndjydes5
The nonce is generated on the requesting server by sha256 hashing of the timestamp (ts) of the current system using some privat key (ie: TEST) as a salt???
Problem is, the receiving server can take it's secret key and generate a hash on timestamp and compare the two hash for equality, hoever there is no way to prevent this same set of values from from being captured and replayed. Unless I exper the request after a few seconds, the problem with this approach is two distinct physical servers could have wildly different timestamps for current time.
Any other ideas for achieiving a simple one time (semi-secure) HTTP request/response???
Cheers,
Alex