Secure authorization in an API-based application?

V

Vladislav Bezenson2015-10-26 16:59:32

PHP

Vladislav Bezenson, 2015-10-26 16:59:32

I make an application and first of all I develop an API. Stopped at authorization. How to make it safe?
In my understanding, it looks like this now:
1. We turn to the method with a login and password ( /auth/login/[email protected]&password=123456 )
2. The server checks the data and, if successful, generates and returns a token, which is written in cookies.
3. With this token, we later turn to other API methods.
Well, in general, everything ... But it all looks somehow not very safe. Just enough to know this token and you can use someone else's accounts.
So what's the best way to do it?
By the way, I use the PHP Slim Framework

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Schoolboy., 2015-10-26
@viphorizon

Install SSL for better security. For example: StartSSL - free
Use POST instead of Get. I read somewhere that it is safer.

N

Nicholas, 2015-10-26
@healqq

To increase security, when issuing a token, you can remember some connection parameters (user agent. ip address) and check them. Issue a token for a limited time. As suggested above - SSL is highly desirable.