Re^3: A question about web service security

Actually no. You can use a challenge/response technique. Take the MD5 hash of the current time plus some secret "seed", and send that to the client. Then, whenever the client requests that action, it must supply this MD5 hash. On the server side, you recalculate the hash for each of the last x seconds, and see if any matches what the client supplied. Only permit the action if the hash matches.

The trick is to only deliver a hash to the client when it is a valid time to perform the action. And by restricting x to a small number of seconds, you control fairly tightly when the action can take place. So even if they do fake it, they can only fake it when it's a valid time to perform the action anyway.

Comment on Re^3: A question about web service security

Replies are listed 'Best First'.
Re^4: A question about web service security by PerlOnTheWay (Monk) on Aug 05, 2011 at 14:10 UTC
Whatever seed you choose,you need to send it to the client, and a programmer can do faking using that seed...	[reply]
Re^5: A question about web service security by Anonymous Monk on Aug 05, 2011 at 14:26 UTC
This is how public key ecryption works. The server has private key, it doesn't share it. The client gets servers public key (everybody gets public key). you encrypt messaages for server using public key, only server can read them server uses private key to decrypt message encrypted with public key. Only server has private key.	[reply]
Re^6: A question about web service security by PerlOnTheWay (Monk) on Aug 05, 2011 at 15:02 UTC
I'm aware of all these ,and like I said,it won't work.	[reply]
Re^7: A question about web service security by Anonymous Monk on Aug 05, 2011 at 16:08 UTC