开发者

Web security question regarding an API

问答 作者:

I'm building an API with no server-side authentication. A unique key (assume the key is very long and impossible to guess) will be generated for the session, but no cookie will be set on the client. The client could be a web browser with AJAX, a PHP script using CURL, or a desktop application. The normal transaction process I'm imagining will be:

Initial encounter

  1. The client makes an initial request, calling a start_session method
  2. The server generates a key and returns it along with some initial data
  3. The client stores the key for later use (e.g. JavaScript sets a cookie with the key)

Next request

  1. The client requests the server again, calling some set_data method, providing the original session key, as well as loads of private data such as a credit card number, information about legal cases, etc.
  2. The server responds, and the responds with a success message

Another request

  1. The client requests the server again, providing the original session key, and calling some get_data method
  2. The server responds with all of the private data in some format (e.g. XML, JSON, etc)

A session key expires, if not used, in a 20 minutes, and all API URIs will require SSL.

My concern / question is: Do I need to be worried about whether the client has leaked 开发者_JAVA技巧the session key. Without authentication, I'm trusting that the original requester to keep the session key private. Is this common / safe practice?

Unless you use HTTPS throughout, you're vulnerable to HTTP sniffing, a la Firesheep.

Eve, if you do use SSL, if the client page isn't SSL or contains any non-SSL Javascript (or non-SSL frames in the same domain), you're still vulnerable (and there's nothing you can do about it)

To answer your stated question, it completely depends on your situation.
EDIT: You should warn your clients (developers) in the documentation page to handle the key correctly.
Beyond that, it depends on the average skill level of the clients.
You should probably have a disclaimer of some sort (I am not a lawyer).

It's probably OK.

继续阅读:securitysession-cookies

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9