StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>Your authentication model is a shared secret authentication. In your case your user's password serves as the shared secret. You need to ensure you have a secure way for getting the password to the user and server ahead of time. In order to sign the request you create a message with all your request headers and data. Then hash that request. Then that hash (token) will be passed with the request. The server will perform the same signing and hashing process on the server and ensure the tokens match.</p> <p>In your example your sound like you want to create the token with this pseudo code:</p> <pre><code>Token = hmac-sha1( Hash(Pasword + Salt) + RequestUrl + UserName ) </code></pre> <p>Your way is not bad but I would compare your method to Amazon's REST Auth model and implement a closer version of what they have detailed. <a href="http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html" rel="nofollow">http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html</a></p> <p>Their implementation:</p> <pre><code>"Authorization: AWS " + AWSAccessKeyId + ":" + base64(hmac-sha1(VERB + "\n" + CONTENT-MD5 + "\n" + CONTENT-TYPE + "\n" + DATE + "\n" + CanonicalizedAmzHeaders + "\n" + CanonicalizedResource)) </code></pre> <p>They have good reasons for including some fields that you have left out, including but not limited to:</p> <ul> <li>The timestamp is to prevent replay attacks. </li> <li>The content-MD5 is to prevent prevents people tampering with the request data (relevant to POST and PUTS)</li> </ul>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload