I have Apache Web Server running to server a website (using angular.js), Now I am going to add Authentication to my website. The Authentication which I am going to use returns me POST request with user token.
Now I need to process the token, If he is valid user I need to give him access to my website.
As I should process the POST Request, I found there is little support for Apache Web Server like apreq.
So, I am thinking to replace apache with php or node.js. So are there other ways to process POST method request in Apache or which would be better alternative among php or node.js?
Related
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
I wrote PHP code that allows me to communicate with a REST API.
My PHP call issues a cURL call to communicate with the API service. However, I am running into a weird issue where the data that is being received by the API is not what is being sent using cURL.
I would like to setup some type of a middle man to ensure that the request that I send to from Apache is the same data that is received by the API.
The information that I am interested to see is
Request/Received Header
Request/Received Body
I am thinking about ruining Wireshark on the Apache server to capture the packets that are going from my Apache to the API and also everything that is being received from the API to Apache.
After installing Wireshark on the Apache server "a Windows 7 machine" I see a lot of data.
How can I tell Wireshark to only capture the data from Apache to the API and from the API to Apache only?
Thank you for your help.
There are many tools for API tsting, starting from very easy to use browser plugins and finishing with someting quite complicated as Apache Jmeter. The idea is to make the calls from your testing software to the API and analyse the request and response. if you are on windows you can use something like Fiddler to intercept the packages that are going out from your machine. If you have access to client server I assume there are tools for various OS to intercept the outgoing packages and analyse them, but you would have to google for those.
to filter HTTP results in Wireshark, just type http in the filter field and click Apply
to have a better look, just start th capture before the HTTP request and stop it juste after
afterward, if you know the IP of the API server, you can filter a step more with :
http && ip.dst == X.X.X.X
I'm developing a Hybrid App where I use ajax requests to connect to a remote database. The database is accessed through the Laravel(5) framework. When I send requests to the remote laravel web app, I get the following case.
Error with message, No Access Control Allow Origin Header Present.
To solve this problem I added the access control headers to the index.php at public/ directory. Then the above error no longer occurs(Yes, I know that we can do the same using a Middleware and it is the recommended way). But then an internal server error occurs saying csrf Token mismatch exception. I know that if this was a web appilication, we could have easily added the csrf_token. Since this is a hybrid app, I cant set a token since I can't run any PHP here and I can't obtain a token by an ajax request.
Up to now, I have read almost every thread related to this in Laravel Forums. But there were no feasible answer. Does anyone have an idea about how to solve this issue?
Thanks in Advance!
I'm in need of using NTLM authentication in my web application against an IMAP mail server. Authentication in the web app itself is NTLM too. Thus, the user opens the web app interface and the web server end grabs the inbox of that user on the mail server authenticating via NTLM. Is that possible if I never store (neither I have access to) the user's password?
Is there any way to link the client's browser and the IMAP server via my web app so that token exchange would occur between them and I would just act as a gateway between them. Or, is there any other method to accomplish this task without knowing the password?
The web app can be asp.net/iis or php/apache. Either option will work for me.
Looks like I had a bad day yesterday, otherwise have no idea why I couldn't figure it out that time as it's so simple!
If Windows authentication is enabled, the web app already gets the context of that interactive user who accessed the app. I can then authenticate against NTLM-enabled IMAP server via Integrated Windows Authentication just the same way I would in a desktop application.
I.e. they key point is that there is no need in the web app to somehow pass NTLM token from the browser to the IMAP server. It's just a two stages process:
- first, the browser (running under interactive user) creates NTLM token via winapi functions and sends it to the web app so that finally the app acquires that interactive user context
- then, the web app running under the interactive user context creates a new token via the same winapi functions and sends it to the IMAP server.
I want to transfer 10 user details from my server database to another server.The other server can call a php page (in my sever) which can supply the needed 10 user details.This should happen in such a way that a user using the site must not understand that the data is coming from another server.
I will recommend using WebService for this purpose. In the Server A (provider) you will code this webservice to serve the users as requested by server B(consumer), So you will be able to consume the services provided by A at any time and being transparent for the USER.
References:
WebService
XML-RPC
SOAP
You can implement JSON-RPC server and client.