Well, I would suggest not sending the username / password in text form under any circumstances (even when using SSL). Instead, I would suggest using the Digest authentication form.
Instead, I would suggest creating a large authentication token (random large string, 128 characters will work). Then users will install this βtokenβ in their application.
Now, when the application checks for updates, it first launches a request to your server, requesting a digest token. This is a random one-time token that is used for only one request. Your application should generate a token, save it in a strong format (file, memory, database, etc.) along with a timestamp, and then send it back.
Now your application receives this digest token (here $dt ). Then you hmac with a pre-configured authentication token that has already been specified.
$authBit = $username . ':' . $authToken; $hash = hash_hmac('sha256', $authBit, $digestToken); $authField = $username . ':' . $hash . ':' . $digestToken;
Then you send $authField to the server. Then the server will split the parts:
list ($user, $hash, $digestToken) = explode(':', $authField);
Now you first look at the user authentication token in the database and save it in $authToken . Then you look at $digestToken to make sure that it exists and that it was created less than 60 seconds ago (you can configure it if it is too short, but not make it much longer). In any case, remove it from db at this point (to prevent reuse).
Now, if $digestToken exists and is valid, and you can find $authToken , then do the following check:
$stub = $user . ':' . $authToken; if ($hash == hash_hmac('sha256', $stub, $digestToken)) { //valid user } else { //Not valid }
This allows you to change the sent token every time, once with one HTTP request (anyone who reads the request stream will not be able to get any confidential information from the request, except for the username that you could mask further, d like) .. .