StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POAPI authentication using timestamp : What to do when the client's time setting is changed?
primarykey
Id
19431431
data
AcceptedAnswerId
0
AnswerCount
3
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2013-10-17T15:50:01.073
FavoriteCount
3
LastActivityDate
2013-10-17T19:06:44.347
LastEditDate
2013-10-17T15:59:24.637
LastEditorUserId
1167429
OwnerUserId
1167429
ParentId
0
PostTypeId
1
Score
6
ViewCount
1402
LastEditorDisplayName
text
Body
I am implementing an REST API authentication system. I am basically using the method explained in this site: <a href="http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/" rel="noreferrer">http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/</a> Basically it uses the request body to create a hash, sends it to the server along with the actual request, the server recreates and compares it, and what not... I won't bother explaining the details. The important part is that I am using a timestamp in order to prevent "replay attacks". Quoting from the site, it explains: <blockquote> Compare the current server’s timestamp to the timestamp the client sent. Make sure the difference between the two timestamps it within an acceptable time limit (5-15mins maybe) to hinder replay attacks. </blockquote> The problem I am facing now is that if the client's clock setting is modified, it may cause unexpected API authentication failures, since the timestamp varies between the client and the server. Is there no way around this? Do I have to give up on using the timestamp? I would highly appreciate it if anyone can help me out with a solution for this timestamp problem, or with any other way which I can prevent replay attacks. Note: I am aware that issuing a nonce to the client is an excellent way to prevent "replay attacks", but I want to make that my last resort, since the implementation cost of creating a nonce-issuing-API and the backend to manage the nonce is too large.
Tags
<api><security><rest><authentication>
Title
API authentication using timestamp : What to do when the client's time setting is changed?
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USashiina
UserOwnerUserId
1. USashiina
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POAPI authentication using timestamp : What to do when the client's time setting is changed?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POAPI authentication using timestamp : What to do when the client's time setting is changed?
 UserUserId
 USSatish
 VoteTypeVoteTypeId
 VTFavorite
3. VO
 singulars
 PostPostId
 POAPI authentication using timestamp : What to do when the client's time setting is changed?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COIf the client's clock setting is modified frankly there will indeed be authentication failures and nobody can help except client has to investigate and rechange the settings. There are few things to really stop worrying about. Also 5-15mins is too large a acceptable limit. It should be +-60 seconds. Don't stop your idea of sending timestamp just for a irresponsible client. Your question is very good though.
 singulars
 PostPostId
 POAPI authentication using timestamp : What to do when the client's time setting is changed?
 UserUserId
 USSatish

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.