kepler Posted December 19, 2017 Share Posted December 19, 2017 Hi, I've created a REST API to provide several services to the users. Each one has an username, password and a api key, which is secret - it can only be decrypted by me. My problem is that one of the apps is for the user load a webpage and retrieve info from its calculations (whic calls a api script). For now the system I'm using is this: 1) First, the user must write the current time to a file in his domain. 2) The user sends to the api the current url (that must match my database ip info) along with a value equal to the api key + time 3) In my side, I fetch the file that must reside in the url he sent - which must match the domain ip registered by him - and the difference in time can't be more than 5 seconds. 4) I generate a session token which includes his api key plus time (encrypted) again and send it to him. 5) The request page is loaded with the api key and session token as hidden fields that when runned must match again the info I have. Can someone please advise on the refinement of this logic? Do I maintain the token for 5,10, or 30 minutes? Or do I change it in every request? Kind regards Kepler Link to comment Share on other sites More sharing options...
requinix Posted December 19, 2017 Share Posted December 19, 2017 That's not a good scheme. Protip: do not invent cryptography on your own. Neither you nor anybody on this site has the knowledge to do it right. What is the API for and how is it supposed to be used, not including the authentication bits? Link to comment Share on other sites More sharing options...
gizmola Posted December 20, 2017 Share Posted December 20, 2017 Rather than attempting to roll your own rather convoluted system, I would suggest you take a look at the JSON Web Tokens standard. I believe it solves the problems you are concerned about. I don't know who your end users are, but expecting them to do anything other than simple and standard configuration in order to utilize your API is a pretty sure way to insure that they won't want to bother. Start here: https://jwt.io/ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.