handlespecialurl security

hi,

i’ve created my web app and its API, what is a good way to secure it so that only authenticated users can use it.
i dont want to pass the username and password in the url, is there another way?

it will be used by my xojo apps and a xojo ios app as well as some third party stuff.

[quote=213047:@Russ Lunn]hi,

i’ve created my web app and its API, what is a good way to secure it so that only authenticated users can use it.
i dont want to pass the username and password in the url, is there another way?

it will be used by my xojo apps and a xojo ios app as well as some third party stuff.[/quote]

You may want to use something like this in the iOS app :

  • Get date.now SecondsFrom1970
  • Apply some encrypting to that number (does not have to be very elaborate)
  • EncodeBase64
  • Use that as path

In HandleURL,

  • decodeBase64 the path
  • decrypt
  • Compare with Xojo.Core.Date Date.Now SecondsFrom1970

If the result is less than a second or two, you know the path has been created by your app.

You could use RC4 for encryption. See https://forum.xojo.com/22409-rc4-method-for-ios

ah, i need the username password, because certain users cannot see some of the api.

Assuming you’re using HTTPS you can POST username/password and then check it.

You could always expect POST with username/password included, but generally it’s better to generate and save a token string on API login that is passed back to the client which from then on passes the token for each request along with username or other identifier that can be checked against the saved token string on the server.

I tend to use their email address and a Hex code hash of the app name, email and maybe expiry date, etc. That way they can’t use the same Hex code of different apps from me, and they’re less likely to tell someone the code since it links to themselves.

You might have look at this site: https://www.owasp.org/index.php/Cheat_Sheets