Security in your own application

views:

answers:

Security in your own application

Hi,

My app is running on domain example.com, but I fetch some data from domain api.example.com.

Example:

User want to add new article.
example.com send request to api.example.com/add

Question:

I would like to know, which security should I use to verify user? oAuth? Or should I send user's password over POST? Thank you.

+1 A:

If your passing information to and from your own website then use sessions to store the user data, you don't need OAuth (that's designed to validate users between different websites without requiring the password on the 3rd party's end).

fire 2010-03-01 14:49:32

And make sure you transmit your data with proper encryption. https for example

anthares 2010-03-01 14:53:40

if your api.example.com is meant to be use by other sites, you should have an authentication system on api.example.com (http basic+ssl, http digest, oauth, etc.) which is used by example.com.

example.com should then not manage user (creation, authentication, etc), only relay to api.example (maybe using session to store api.example.com user credentials). but example.com should manage user preferences if those preferences refer only to example.com

mathroc 2010-03-01 14:56:24

Great! Thank you.

Bambert 2010-03-01 15:18:34

ansaurus

tags:

views:

answers:

Security in your own application

related questions