Databases
StackOverflow2013
Postsdbo
PODoes this session/token authentication system make sense for my web api?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PODoes this session/token authentication system make sense for my web api?
    text
    copied!<p>Today I implemented a session/token authentication system for my web api (http get/post rpc style), following this plan:</p> <p><strong>legend</strong>: action (param1, param2) : returnvalue1, returnvalue2</p> <ul> <li>login (username, password) : sessionkey, token</li> <li>requestA (sessionkey, token, paramA) : token</li> <li>requestB (sessionkey, token, paramB) : token</li> <li>logout (sessionkey, token) : void</li> </ul> <p>The login action is sent over https, to protect the users data. You get a session/token combination, where one token is only valid for one request (you will always receive a new token on normal requests). My thoughts behind this were about reducing the risk for a man-in-the-middle attack, sniffing your session key: if you are "lucky", the sniffed token has already been invalidated through your own subsequent request.</p> <p>My backend and its unittests are perfectly fine, but i didn't think far enough - i finally ran into issues with asynchronous ajax calls, which defeat this one-time-token idea.</p> <p><strong>Is the added security worth not being able to process asynchronous requests?</strong></p> <p>One idea was to introduce a request-queue inside my ajax application - <strong>did someone do anything like that, and would you recommend it?</strong></p> <p>A probably less secure, but more convenient way would imho be not to renew the token for every request - allowing asynchronous processing, but keeping the initial https auth and add a strict lifetime to a session. I should also save the IP to the session server-side.</p> <p><strong>Did i miss other valuable options?</strong></p> <p>I am bound to existing username/password values, which with no exception have to work without changes with the new ajax app.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload