Comments on: PHP Web Services – Authentication Based on Client’s IP http://www.dimuthu.org/blog/2008/12/27/php-web-services-authentication-based-on-clients-ip/ Waiting for your comments Thu, 01 Dec 2011 06:50:51 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Mangal http://www.dimuthu.org/blog/2008/12/27/php-web-services-authentication-based-on-clients-ip/comment-page-1/#comment-109790 Mangal Thu, 01 Dec 2011 06:50:51 +0000 http://www.dimuthu.org/?p=862#comment-109790 Thank you, Dimuthu, I am using PEAR::SOAP in our application that's why can't use your "authentication by username token". if you have any other idea to secure PEAR::SOAP web-service then please update me. it will help me lot. Thank you Thank you, Dimuthu,

I am using PEAR::SOAP in our application that’s why can’t use your “authentication by username token”. if you have any other idea to secure PEAR::SOAP web-service then please update me. it will help me lot.

Thank you

]]> By: dimuthu http://www.dimuthu.org/blog/2008/12/27/php-web-services-authentication-based-on-clients-ip/comment-page-1/#comment-109780 dimuthu Thu, 01 Dec 2011 06:14:35 +0000 http://www.dimuthu.org/?p=862#comment-109780 Hi, Sure. If apache access control is used, you can avoid IP spoofing attacks. If you are using WSF/PHP you can use username token, that would do authentication in application level with more control. See here, http://www.dimuthu.org/blog/2008/09/23/authenticate-using-username-token-from-php-2-minutes-introduction/ Hi,
Sure. If apache access control is used, you can avoid IP spoofing attacks. If you are using WSF/PHP you can use username token, that would do authentication in application level with more control. See here, http://www.dimuthu.org/blog/2008/09/23/authenticate-using-username-token-from-php-2-minutes-introduction/

]]> By: Mangal http://www.dimuthu.org/blog/2008/12/27/php-web-services-authentication-based-on-clients-ip/comment-page-1/#comment-109646 Mangal Wed, 30 Nov 2011 14:05:35 +0000 http://www.dimuthu.org/?p=862#comment-109646 Hi Dimuthu, Thanks for writing the article. Dimuthu, as Nabeel says that IP based authentication can be spoofed what happen if we restrict the access of our webservice by apache access control also. Is this add some more security? Please suggest, i am waiting your reply. Thanks. Hi Dimuthu,

Thanks for writing the article.

Dimuthu, as Nabeel says that IP based authentication can be spoofed what happen if we restrict the access of our webservice by apache access control also. Is this add some more security?

Please suggest, i am waiting your reply.

Thanks.

]]> By: nik http://www.dimuthu.org/blog/2008/12/27/php-web-services-authentication-based-on-clients-ip/comment-page-1/#comment-19093 nik Mon, 08 Feb 2010 16:33:16 +0000 http://www.dimuthu.org/?p=862#comment-19093 hi Dimuthu You have done good job for Ip based authentication. But here I have done using username password based authentication. You can check it from this link. http://my-source-codes.blogspot.com/2010/02/php-nusoap-web-services-and.html Thanks. hi Dimuthu You have done good job for Ip based authentication.
But here I have done using username password based authentication.
You can check it from this link.

http://my-source-codes.blogspot.com/2010/02/php-nusoap-web-services-and.html

Thanks.

]]> By: dimuthu http://www.dimuthu.org/blog/2008/12/27/php-web-services-authentication-based-on-clients-ip/comment-page-1/#comment-2306 dimuthu Sun, 28 Dec 2008 01:58:29 +0000 http://www.dimuthu.org/?p=862#comment-2306 Hi Nabeel, Thanks for the note. I think I got what you are pointing out. Server possibly determine the source IP from the header of the IP packet, which can be easily regenerated with a fake source IP by some attacker. Here I was answering to the problem asked in the forum <a href="http://wso2.org/forum/thread/4609" rel="nofollow">http://wso2.org/forum/thread/4609</a>, <a href="http://wso2.org/forum/thread/4659" rel="nofollow">http://wso2.org/forum/thread/4659</a>. I will mention your note in there too. Thanks Dimuthu Hi Nabeel,
Thanks for the note.
I think I got what you are pointing out. Server possibly determine the source IP from the header of the IP packet, which can be easily regenerated with a fake source IP by some attacker.
Here I was answering to the problem asked in the forum http://wso2.org/forum/thread/4609, http://wso2.org/forum/thread/4659. I will mention your note in there too.

Thanks
Dimuthu

]]> By: Nabeel http://www.dimuthu.org/blog/2008/12/27/php-web-services-authentication-based-on-clients-ip/comment-page-1/#comment-2301 Nabeel Sat, 27 Dec 2008 23:57:16 +0000 http://www.dimuthu.org/?p=862#comment-2301 This comment is not directly related what you are pointing out in this entry. However, it may serve as a precautionary measure. In the absent of filtering at routers/firewalls, this method is vulnerable to IP spoofing attacks. Therefore, in such situations IP based authentication should not be used as a replacement to other authentication methods, such as WS-Sec username-token, but rather as a complement if the operation being protected is very sensitive. This comment is not directly related what you are pointing out in this entry. However, it may serve as a precautionary measure. In the absent of filtering at routers/firewalls, this method is vulnerable to IP spoofing attacks. Therefore, in such situations IP based authentication should not be used as a replacement to other authentication methods, such as WS-Sec username-token, but rather as a complement if the operation being protected is very sensitive.

]]>