I'm working on a webservice + AJAX interface, and I'm worried about authentication. This moment I'm passing username and password to the webservice as arguments, but I fear that this approach is highly insecure. I was told that ssl could solve my problem, but I want more alternatives.
My webservice is written in php and my interface is in php + AJAX. The webservice receives arguments from POST or GET and retreives xml (in a future maybe I'll use JSON)
If I'm understanding the question, you have 1) AJAX posts to PHP, 2) PHP calls web service. You should have an SSL certificate for step 1. For step 2, an SSL certificate on the web service machine would also be secure. An alternative would be to set up a secure VPN between the web server and the web service's server.
AJAX request are no different to normal request.
Since you have an AJAX interface I guess you can have a page where users log-in. When they log-in store a cookie at the browser. This cookie can then be sent back with every AJAX request.
Your PHP script can "authenticate" the AJAX request using the cookie exactly as it would with normal requests.
There are various standards like ws-trust, ws-security, ws-federation etc. which you could rely upon to secure your webservices.
You can also sign your soap headers containing security information.
The following blog details out various authentication mechanism for webservices using php. http://phpwebservices.blogspot.com/
SSL with user credentials is about as safe as you can get. You have to define what your security concern is. That the user's packet will get sniffed? That's what SSL is for. That an unauthorized user will gain access? That will depend on the password security.
One thing you can do is set up a lease system where you hand out a unique encrypted ID that has to be passed in the post and which expires after the transaction or after a short period of time. This lease code can be retrieved into a hidden div in the page (to avoid the sandbox concern above) and then inserted into every subsequent Ajax request.