Page 1 of 1

Soap security

Posted: Mon Aug 30, 2010 12:26 am
by abalfazl
Any tips for make secure PHP soap

Re: Soap security

Posted: Mon Aug 30, 2010 1:03 am
by phpcip28
Not exactly sure what you mean. BUT... In ever client-server API-like communication, the security check flow is just like in the case of the OpenID communication and goes like this:

You have the client C, further referred to as Consumer
You have the server S, further referred to as Server
You assign the C a Consumer Key
You assign the C a SECRET KEY
You register that Consumer Key, AND Secret Key inside the S Server, so that you will be able to know how to encrypt-decrypt the Consumer requests in the Server side
In every request you make from C to S, you SIGN the request using that Consumer Key and the Secret Key, thus generating a Public Key.
When the request reaches the Server, you check for data signature using the same encryption method as you did with the Consumer Key

In translation, if you need to make this request:
http://server.com/get_data.php?data_id= ... ther_param

Your request would actually look like
http://server.com/get_data.php?data_id= ... public_key

Where the_generated_public_key will be:

Code: Select all

hash_hmac($data_id . $name . $CONSUMER_KEY, $SECRET_KEY);
This is all pretty self-explanatory, it just signs your request.
You'll just have to do the same in the server when you get the data.

This also works in the case of SOAP since all you'll have to do is compute an md5 hash based on the XML SOAP request.

Dunno if this makes way too much sense, but you should lookup google for "Consumer-server request signature" or something like that

Best of luck.