June 14th, 2013, 03:48 AM
My trouble is: How can i ensure that the client request comes from a valid customer. I can't rely on stuff that can be spoofed (e.g. http-referer).
June 14th, 2013, 04:00 AM
A login is the only certain method.
Comments on this post
June 17th, 2013, 03:45 AM
Exactly. "Authentication" would have been a better phrase rather than "Login."
Originally Posted by web_loone08
June 19th, 2013, 03:04 AM
Could you elaborate on this? Would you have a service that creates tokens/keycodes based on the request domain/ip?
If yes, how would that prevent me from sniffing your traffic (get your domain/ip). Contact the same service while spoofing headers with your data and Thus obtain the same access as you?
It could be secured using SSL but isn't there another solution?
June 19th, 2013, 04:12 AM
Why would you not want to use SSL? Any level and/or type of authentication is open to exploitation if you do not wrap it in a secure layer.
You are speaking of spoofing. What type of data are you intending to protect?
June 24th, 2013, 03:21 AM
As I write, I need to ensure "that the client request comes from a valid customer".
Originally Posted by Winters