How to build a secure and RESTful service in PHP?

Question

I'm building an application system which consists of a server part "in the cloud" and a client part, e.g. an iPhone or Android app or a web browser.

Server side is implemented in PHP (LAMP) and is today a very simple server with a number of php-files serving each type of method request like: getCustomers.php, addNewCustomer.php and so on. Also, up until now, no security mechanism has been used whatsoever and the ISP hosting the server do not provide SSL. That's right, SSL is not an option for security.

Now, I want to gear up my old system and make it:
1) True RESTful service, and
2) Add security, users must be authenticated and authorized, but passwords in plain text is of course not acceptable.

My question simply is, how do I achieve and realize point 1) and 2) above? Is there any tutorial, book chapter or blog article that describes this combined in a single piece? Or do I need to collect information sprinkled all over the web and then try to combine them the best I can?

And please, if you know the answer, and now I hope I'm not too rude, do not just say oAuth this or openID that, instead I would appreciate a lucid explanation of the how or pointers to e.g. blog articles explaining this. Needless to say I have searched the web like a maniac but have, to my big surprise, not been able to find a good answer!?

Regards,
Steve

Answer 1

Is there a tutorial, book chapter or blog article that describes this comined in a singe piece?

I can recommend REST in Practice - Hypermedia System Architecture as a guide to building HATEOAS systems. It has no PHP samples, but it includes a full chapter on Web Security Issues, covering HTTP Basic and Digest Auth, OpenID and OAuth and attack vectors to be aware of.

Answer 2

Instead of inventing/building your solution, I'd use one of the many PHP frameworks for RESTful services. http://www.recessframework.org/ is pretty comprehensive, though you will almost certainly have to extend it to include authentication.

http://phprestsql.sourceforge.net/ does support authentication out of the box, but relies on HTTPS to encrypt plaintext passwords; you should be able to extend it when you work out how to deal with authentication.

Apropos authentication: as REST is intended to use the HTTP standards as much as possible, I'd recommend using the HTTP authentication mechanisms - described at length in http://php.net/manual/en/features.http-auth.php (as well as in the W3C docs).