Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I think tokens would be a solid way to go. Forms authentication is based on cookies for the web. Not the most idea situation for all non browser clients though. </p> <p>What I'd suggest is creating a custom AuthorizationFilterAttribute and overriding the OnAuthorization method. In that method, you could check for the existence of a token that you've issued to the client after they've supplied valid credentials. You can use this attribute on any method or controller you want validated. Here's a sample you might reference</p> <pre><code> public class AuthorizeTokenAttribute : AuthorizationFilterAttribute { public override void OnAuthorization(HttpActionContext actionContext) { if (actionContext != null) { if (!AuthorizeRequest(actionContext.ControllerContext.Request)) { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized) { RequestMessage = actionContext.ControllerContext.Request }; } return; } } private bool AuthorizeRequest(System.Net.Http.HttpRequestMessage request) { bool authorized = false; if (request.Headers.Contains(Constants.TOKEN_HEADER)) { var tokenValue = request.Headers.GetValues("TOKEN_HEADER"); if (tokenValue.Count() == 1) { var value = tokenValue.FirstOrDefault(); //Token validation logic here //set authorized variable accordingly } } return authorized; } } </code></pre> <p>TOKEN_HEADER is just a string representing an HTTP header that the client should pass back for authenticated requests.</p> <p>So let's walk through it</p> <ol> <li>Client requests secure data</li> <li>Client is not authorized, return a response with an Unauthorized status code</li> <li>Client sends credentials to authenticate, which should be secured via HTTPS</li> <li>Once validated, client receives a token via an HTTP header, or whatever works for you</li> <li>Client tries requesting secure data again, this time attached the token to the request</li> <li>The AuthorizeTokenAttribute will validate the token and allow the action to execute.</li> </ol> <p>Also, check this post by John Petersen. <a href="http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/" rel="noreferrer">Making your ASP.NET Web API’s secure</a></p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload