Hi all, I'm working on a relatively straight forward Web API that'll have a SOAP presence. The most secure way of going about doing authentication would be undoubtedly client-certificate authentication. I have been able to implement such a service straight forward as there is plenty of documentation out there covering how to do so. I have some clients who're reluctant to manage client certificates at this point in time, and do prefer a communicated-key authentication, very similar to what Amazon and a few of the other big boys do. I'm having a bit of a difficult time coming up with multiple solutions as to how to properly implement this for my service besides stuffing a random hash into my database and making them send it to me over SSL through their message payload. I can then compare the hash against what's in the database + their IP, or something else. Would anyone be able to suggest some algorithm for the way I'm handling the tokens that's more secure and less "brute-forcible" than the methodology I described above? My objective in this exercise is not to only authenticate who's sending me the SOAP envelope, but also to ensure that whatever token/key system I implement is not open for very simple brute force. If they're able to knock down my brick house, I have other problems --- but I definitely want to build that brick foundation. Suggestions, web articles, books etc., are all welcome! Thank you for any advice from you avid web service gurus. /sf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
