Solution for the secure authentication

Solution for the secure authentication SearchSearch
Author Message
Alex Kaiser
New member
Username: Alex_k

Post Number: 4
Registered: 07-2006
Posted on Tuesday, January 20, 2009 - 08:20 am:   

Hello!

We have the following scenario:
1. User create a messages queue via our website
2. Queue is being stored in the database
3. When user sending message, website engine queries user’s password from database and generate HTTP request to NowSMS instance.

I think that storing password is very bad for security, is there any chance to solve that issue?
Good solution if NowSMS allows to submit messages without password from authorized IP addresses (like ip of the site).

Regards,
Alex K.
Bryce Norwood - NowSMS Support
Board Administrator
Username: Bryce

Post Number: 7745
Registered: 10-2002
Posted on Monday, January 26, 2009 - 10:18 pm:   

Hi Alex,

Des and I have been discussing this trying to figure out the best way to reply.

We agree that what you describe is not a good solution.

If I were implementing this scenario, I'd probably go about it a little differently.

Do you need to have all of the user accounts defined in NowSMS? Or since users are only submitting via your web site, which they are already authenticating with ... would it make sense for you to use only a single account on the NowSMS side (for your website engine to interface with NowSMS), and manage all of the users and accounting quotas when users submit into your web site?

-bn
Alex Kaiser
New member
Username: Alex_k

Post Number: 8
Registered: 07-2006
Posted on Friday, January 30, 2009 - 06:47 pm:   

Hello Bryce and Des!

Thanks for your response!

Here is my point of view :-)

How you should act if you want to integrate your web site with NowSMS? NowSMS web based menu doesn’t have enough functionality and flexibility to meet changing customer needs.

If we use NowSMS for storing user accounts, how can we query user info? Like passwords or allowed ips. Then we have to duplicate data. On the other hand, if use NowSMS only like sms gateway and submit messages over 1 account, we have to re-create all program logic by ourselves, like balances, quotas, access type and so on.

By my opinion, the best way to reach the balance is to give developers access to inner NowSMS data, like we can query user balance but we can’t query is account balance enabled, we can enable/disable access type but we can’t know what access type enabled atm or just query user statistics. That feature will give great impulse for integrating NowSMS into foreign systems.

Regards,
Alex K.