Web App API & Security

What is the generalised process for an application that to access a web application via REST Api ?

I know and understand the principle of the api and the way it works but I am unclear as to the best way to validate user etc ? I am looking to build a desktop app that acdesses data from my web app over an api. Unlike traditional browser based access where a sezzion is involved, I underxtand that with an api, I can pass a username and password but I am a little unsure as to the best way to pass these credentials ? For example, with a GET request, how can we pass the credentials on the GET string without risking  eing intercepted ?

Also, what makes POSTs more secure, apart from the fact that the credemtials are in the request nody and not in the actual URL itself ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
IT Security is a full-time four year college major, so I'll try to help with some of the specifics, but if you're new to this topic area, consider getting involved with OWASP to get some quick learning.  


PHP has its own set of guidelines:

What you're trying to secure matters.  The procedures are different for bowling scores, medical records, financial transactions, and nuclear launch codes.  And the most important balance is between "secure" and "sucks" in that if you secure things enough, your clients will just go away.

You can pass the username and password in the HTTP request.  You can generate an API key and use that in each request.  This is how Google secures its rate-limited applications.   Credentials can (and will) be intercepted.  The request method (GET or POST) does not protect the data.  You may want to keep a list of authorized IP addresses.  You may want to access a secondary file on the requesting client for an additional check.

You can use OAuth.  This is how Google secures its authenticated applications.

You want to authenticate early in the request lifecycle and ignore invalid requests.

You may find that the PHP Session is useful if your requesting clients act like well-behaved browsers, accepting and returning cookies and following redirection.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
You should also be using a 'secure' "https" connection.  That means that you have to get an SSL/TLS certificate for you web site that is serving the API.  That makes it much more difficult to eavesdrop on your messages and data.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Applications

From novice to tech pro — start learning today.