Soap security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
abalfazl
Forum Commoner
Posts: 71
Joined: Mon Sep 05, 2005 10:05 pm

Soap security

Post by abalfazl »

Any tips for make secure PHP soap
User avatar
phpcip28
Forum Newbie
Posts: 22
Joined: Sun Aug 29, 2010 1:38 pm
Location: NewYork
Contact:

Re: Soap security

Post by phpcip28 »

Not exactly sure what you mean. BUT... In ever client-server API-like communication, the security check flow is just like in the case of the OpenID communication and goes like this:

You have the client C, further referred to as Consumer
You have the server S, further referred to as Server
You assign the C a Consumer Key
You assign the C a SECRET KEY
You register that Consumer Key, AND Secret Key inside the S Server, so that you will be able to know how to encrypt-decrypt the Consumer requests in the Server side
In every request you make from C to S, you SIGN the request using that Consumer Key and the Secret Key, thus generating a Public Key.
When the request reaches the Server, you check for data signature using the same encryption method as you did with the Consumer Key

In translation, if you need to make this request:
http://server.com/get_data.php?data_id= ... ther_param

Your request would actually look like
http://server.com/get_data.php?data_id= ... public_key

Where the_generated_public_key will be:

Code: Select all

hash_hmac($data_id . $name . $CONSUMER_KEY, $SECRET_KEY);
This is all pretty self-explanatory, it just signs your request.
You'll just have to do the same in the server when you get the data.

This also works in the case of SOAP since all you'll have to do is compute an md5 hash based on the XML SOAP request.

Dunno if this makes way too much sense, but you should lookup google for "Consumer-server request signature" or something like that

Best of luck.
Post Reply