Client / Server security from mobile to website
Hey. Am new to the world of web programming and learning a bunch of fairly simple new pieces of tech, trying to piece them all together.
So, we have a simple client (currently iPhone, to move to J2ME soon) that's pulling down lists of data via PHP, which is talking to a MySQL db. I have a rudimentary user/login system so that data is only served to someone who matches a known user etc, either on the website or on the client.
All the php scripts on the website that query the DB check to make sure an active ses开发者_如何学Csion is in place, otherwise dumping the user back to the login screen.
I've read a little about SSL and want to know if that is sufficient to protect the website AND the data passing between the server and the client?
HTTPS is about protecting data and authenticating the endpoints. You still have to worry about properly authenticating the client to access your services. You also have to worry about vulnerabilities such as SQL Injection and other vulnerabilities that affect PHP. I highly recommend reading The OWASP Top 10 2010 A3: Broken Authentication and Session Management to make sure your session implementation is secure.
Yes, SSL is sufficient to secure the connection between the client and the server, given that it's properly setup.
Your user credentials should also be sent across from client to server over an SSL connection.
精彩评论