I am implementing kerberos in php. Here, a trusted authenticating server issues ticket for the purpose of authenticating client to other server. Thus there involves transferring of tickets and ids, etc among the three entities( auth server, client and other server). So now the question is what can be use to transfer data?
For example, the client logs in on other sever. The auth server creates an encrypted ticket for client.Now this must be transferred to the client. similarly client needs to send this ticket to other server, so that other server can verify it.
I have some options like cURL or javascript XHR.
I'm not sure if they can be used in this situation. I seek someones guidance.
Thank you.
I would go with cURL.
If you use Javascript you are exposing URLs where you are going to process data, and this could make a possible security breach.
Ofcourse, you must never trust user-input, but to me it's simple:
Only use server-side
Related
I want use POST to Transfer data between PHP server and Android client, how to improve security? For example, how can you ensure that believable and successful access to the server API can only be my Android client?
because of app have Login mechanism, so I think I should add the account verification code in every post(It consists of user password and so on, may be encrypted by MD5), Then every POST have clear sources, if the source is invalid(don't have verification code or it's wrong), Server denial of service. Is this feasible?
I would recommend setting up a RESTful web service first of all. This would allow you to filter requests coming from the Android client by their method, for example only handing POST for certain end points.
If you knew that only an Android client would be accessing your server you could also enforce that a "client" or "auth" token (simply a JSON property) must be sent with every request and you would then only supply this token to the Android client implementation and refuse any attempt to access your server which didn't include the token.
It's also important not to access superglobals such as $_POST in PHP directly, instead use filter_input().
This is just a suggestion and there is much more you can do.
My iOS app needs to connect to a mysql server. To accomplish this, I'd like to create a webapp that acts as the middleman between the client side apps and the server side database.
My concern is that someone can simply figure out the URL that my app uses and pass their own URL parameters - and since the webapp has no idea whether legitimate data is being sent from my iOS app vs. someone just typing in the properly crafted URL from any web browser, the system will be vulnerable.
Let's say I have a PHP function for marking a user as "verified" (after I send them an email verification code). This is pretty standard stuff, but what's stopping someone from making the same request from a web browser?
Of course, the user that the app uses to make database queries will have limited privileges, so the rest of the database won't be at risk. However, even having users activating their accounts from outside the app would be catastrophic.
The option that I thought of was using https so that even if the user figures out the URL, they won't know the password and wouldn't be able to sniff it since it's encrypted from start to finish. Unfortunately, https can be expensive for a poor college student, so I'd like an alternative if one exists.
As stated before, there is no 100 % security possible. But there are several solutions that put together give great security.
Https
As you point out, this is an important part , as it prevents sniffing.
Sessions
Use sessions and don't allow any request without a valid session ( except the first, that must authenticate the app ).
Fingerprint
Check the user agent and set extra http headers, to get a fingerprint unique to your app. ( Still someone could sniff, but he needed to use curl or similar. )
Obfuscate requests
Build your query string and apply a hash function. The server needs to implement the reverse function. ?43adbf764Fz instead of ?a=1&b=2
Encrypt
This goes a step further. Use a shared secret to calculate a hash. On the server repeat the same. This is already strong security. In order to break, one needs to reverse engineer your app.
Use unique shared secret
You say it is a app for iOS. Upon installation a unique token is generated by iOS. Have your app register this token with your server. Like this you have a strong shared secret unique to each installation, and there would be no way to hack your web app.
I'm starting a new application that will have a server side PHP and client in Android another (at the moment, and then also probably iphone). The application will only be used from mobile customer applications ie not to be used by web. My question is what would be the best way to login to this mode of operation?
thank you very much
It sounds to me as if the server side will be some sort of API that opens up access to a users data. The easiest method would be sending along a stored username and password with each request. This would only work if the connection your using is secure (https) which brings in the hassle of obtaining an ssl certificate.
Another option would be using OAuth, though your use case seems a little bit different than the standard OAuth use-case. OAuth is a protocol that uses a token based system to establish a users permission to access certain data from an application by another application. In your case you would be in control of both the first and the second application (hence my remark on being different than the standard use-case) Read here for more info.
I think it will be more easier if you use a webservice to make this connection between android and php server
this Presentation may help you ..
you are gonna deal with SOAP and xml or JSON to send data from android to php server.
and this a Video that shows how to deal with REST android Apps.
hope that help.
I think building an API on the server-side would be the best approach. For example a simple REST endpoint might be the way to go.
You can also host the API over HTTPS so that the communications channel is secure.
you need to create PHP web service for that. and while accessing you can pass security key like IMEI of phone for log. I think it can be secured mode for login from Android Phone.
Best practice these days is to set up a simple JSON web service, and use the built in Android HTTP & JSON libraries to interact with this service.
Create a login page in android, take the values from the fields send those values to server using httppost there store in your database and send response from the server
i think you first make a login form on Php server and send it the login and password as soon as user types and php returns the JSON object then read it if login is accepted by server login to application.
another way is when user don't have the net access make some Content providers on android and store the user pass there and match from there locally.
we need to send an http post from an iphone device to our server with some info which the device token (APNS) which we want to store. How on the server do you read the HTTP post and store what is in it? We just have a standard ISP hosted server which currently just has a website.
Thanks
There are many ways you could do this. You probably want to store the values in a database. Your hosting account probably has databases. Find out what database software is installed. The chances of it being MySQL http://www.mysql.com/ are high.
Depending on what you want to do with the data, a simple PHP http://php.net/index.php script that accepts POST data, parses and checks it would be fine. However, be careful. You should do some kind of authentication prior to inserting the data into the database. Or maybe the value you are sending to the server is already encrypted and you can verify it that way.
You could also use Perl, Python, Ruby, etc. It depends on what your host supports.
I am writing a game server plugin, and writing a web interface to control it. I am considering detouring the GetPacket() function in the game server, and sending custom packets from my web panel and using GetPacket() to interpret them. My only concern is security as obviously I don't want to just send open data out. What can I read up on as far as packet encryption goes between a php script and a c++ application?
You should be careful, you are getting into some difficult territory. My first reaction to this post is that your probably don't need encryption. Keep in mind that you can't keep a secret from the user. The user can use a debugger and obtain any data passed to GetPacket() very easily.
But, if you need to keep secrets from other people on the network then you do need to use encryption. To do this with VERY securely and simply you should use what has already available to everyone: OpenSSL. You can purchase a real SSL certificate for the server that is running your PHP code for about $30. Then you can use the C++ OpenSSL library to connect over HTTPS.