CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • REST: api_key and PHPSESSID
Pages: [1]

Author Topic: REST: api_key and PHPSESSID  (Read 1248 times)

Erik Hommel

  • Forum Godess / God
  • I live on this forum
  • *****
  • Posts: 1773
  • Karma: 59
    • EE-atWork
  • CiviCRM version: all sorts
  • CMS version: Drupal
  • MySQL version: Ubuntu's latest LTS version
  • PHP version: Ubuntu's latest LTS version
REST: api_key and PHPSESSID
July 13, 2011, 07:38:28 am
For my own information and because I want to include it in some documentation on using the REST for API calls: what is the reasoning behind being able to use the combination of site key and api_key to do a REST call, and the combination of site key and PHPSESSID? Is it security related? And is there any reason why we would not just provide the combination of site key and api key?
Erik
Consultant/project manager at EEatWork and CiviCooP (http://www.civicoop.org/)

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: REST: api_key and PHPSESSID
July 13, 2011, 07:55:26 am
I'm guilty or part of it. Don't recall if it was as dumb as one option didn't work, so I created the second, and the first was fixed, and now we got two.

From a security point of view, if we can use one option or the other, the solution is as weak as the weakest of the two, so it can't improve it (and likely makes it more vulnerable, because that's more entry points that can have bugs).

From a performance pov, it *might* be better to use the session if you have several calls (to avoid multiple authentications), but I doubt the gain is significant.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Erik Hommel

  • Forum Godess / God
  • I live on this forum
  • *****
  • Posts: 1773
  • Karma: 59
    • EE-atWork
  • CiviCRM version: all sorts
  • CMS version: Drupal
  • MySQL version: Ubuntu's latest LTS version
  • PHP version: Ubuntu's latest LTS version
Re: REST: api_key and PHPSESSID
July 13, 2011, 08:14:11 am
I see! So there is really no problem if we want to progress to just using one in the future versions. From security purposes, I can imagine the advantage of the PHPSESSID would be that it is new for every session whilst the api_key potentially remains the same. On the other hand, the api_key is in the database and only in the database? Without any reason for it I would prefer the api_key if we use one.
Consultant/project manager at EEatWork and CiviCooP (http://www.civicoop.org/)

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: REST: api_key and PHPSESSID
July 13, 2011, 08:26:44 am
IMO a real progress would be to use oAuth (that's what twitter switched to).

They have consumer key, consumer secret, user key and user secret. Not sure why they are so many.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Erik Hommel

  • Forum Godess / God
  • I live on this forum
  • *****
  • Posts: 1773
  • Karma: 59
    • EE-atWork
  • CiviCRM version: all sorts
  • CMS version: Drupal
  • MySQL version: Ubuntu's latest LTS version
  • PHP version: Ubuntu's latest LTS version
Re: REST: api_key and PHPSESSID
July 13, 2011, 08:39:20 am
Trust your judgment immediately :-) First thing I am going to do based on issue CRM-8322 (and some testing on my own) is fix the XML problems which pop up every now and then in the forum.....then holidays and CiviCon....then oAuth proposal?
Consultant/project manager at EEatWork and CiviCooP (http://www.civicoop.org/)
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion »
  • APIs and Hooks (Moderator: Donald Lobo) »
  • REST: api_key and PHPSESSID

This forum was archived on 2017-11-26.