0

I am trying to find a reasonable solution to enforcing authentication between a client and a server via an API system. The API itself however isn't my problem, my problem is that where browsers typically support cookies and other means of letting the server know who it is an what its doing, the same isn't necessarily always the case with custom applications written in any possible languages.

I have had a look at some other questions, and the answers are useful for example: Authentication between client-side JavaScript application and Server Side HTTP API?

Unfortunately i had already thought of that and it doesn't implement the level of security that I'm after. What I need advice on is the approach to take when implementing (or maybe emulating) a kind of SSL that can be used on server to client scripts where the server and the client don't necessarily support SSL.

At the same time, this needs to be used to identify the client.

To summarize I need to implement a session keeping system and a data encryption system that will work with Apache and PHP, and a client written in any language running on any device.

Sorry if the question is a little long winded.

Improve this question

1 Answer 1

Reset to default
1

You cannot reasonably get a secure system between a browser and a client without resorting to SSL/TLS. The reason being that there is no way to trust the information coming from the server or the client. As the client runs the untrusted code from the server, you cannot trust any JavaScript etc. within the page either.

What's missing is a method of authentication. SSL/TLS provides this by using a trusted certificate store within the browser. Unfortunately, there is no (standardized) way to use a trusted store from a scripting language. You could try a signed Java Applet, but I don't think that method will make you popular.

So basically you should resort to using SSL/TLS. I don't think there are many browsers that do not support SSL/TLS, and those that don't support it are unlikely to support advanced authentication methods anyway.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Then I guess from a security standpoint i'll have to rely on the technology use to communicate. Another aspect to this, since i am building an API service, is it safe to assume that any application capable of sending requests to an HTTP server is also able to provide the same request headers that PHP is able to read from most requests from browsers? And is PHP able to keep a session for such applications?
That's another question, Flosculus.
Thanks, i posted it here stackoverflow.com/questions/12717522/… and you answered my first question.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.