Could the API for getauth accept some kind of hash (MD5, etc) of the user's password instead of transmitting in plain text over an URL?
Password in URL of API - getauth
Advertising
Performancing Services
Boost your traffic, improve your blog and become an authority in your niche with Peformancing Services.
Navigation
User login
Recent blog posts
- The History of Luminox watches
- The best insurance portal online to safeguard your car
- Using a software program to unlock your 3g iPhone
- Zippo Lighters - Owners Pride, Neighbors Envy
- Performancing Ads Improves Affiliate System
- Gen Y Blogging Becoming More Popular
- Reader Question: WordPress Permalinks
- Fantastico De Luxe 2.10.4 r24
- 9 Reasons To Link Out
- How Much Time Do You Spend Writing a Blog Post?
New forum topics
It could in a future release
It could in a future release yes. Having said that the password is only sent once and is intended to be sent program to program rather than entered in a web browser (wouldnt recommend it sent using a js either)
Thanks
Thanks Chris for taking it into consideration.
By the way
I just need to point out once you have an authorisation token you do not need to send your password again ..
Problem with password in URL
It's true that you only have to send it once, but still, having it directly in the GET-request means it can easily show up for instance in referrer-logs. For most people it's probably not much of an issue.
It's probably possible to implement this transparantly though: in the authentication code, you could verify the password against the one in the database and if it doesn't match, verify it against an md5 of the password in the database. That way implementers can choose whether to send it plaintext or hashed, without any API-changes or implementation complexity for those that don't have an MD5-hashing algorithm handy (mashup programmers for instance).
Its not going to appear in
Its not going to appear in any referrer logs, the only logs it will appear in is the performancing server logs, where you log in anyway?
logs
If I do an authenticate through the browser because I'm testing and then decide to do a query on Google, then they will see a referrer from the getauth URL I was just visiting on this site. I agree though that this is only an issue for developers, who mess with their browser when they want to test the API.
I'm just paranoid I guess, but I don't want my sysadmin to log into my account here because he can see my password in his proxy logs :)
anyway
It's not that I feel this is a crucial feature, it's just good security practice, especially since all you have to do is call php's md5()-function on the password after you retrieve it from the database and before you compare it to the input.
I guess I should maybe point
I guess I should maybe point out that a user's authentication key is actually the MD5 hash of his or her password. So, really you could just start using the API (and avoid using the getauth method) and if you get a 502 response code back, it's an authentication error. Although that probably won't be recommended by the Metrics developers.
Post new comment