Reputation: 1582
How to secure an API
I am developing an API as a middleman between a Windows app and the database. The webserver will just be an ASP. NET generic handler returning json. Users will log into the app and their credentials will be transmitted over the wire. From there what I was going to do was generate a session key that the app could use from then on with every request. This will not be an open API in the foreseeable future. Now what I am wondering is if this is secure enough? How can I stop people from using fiddler to just replicate the calls? Is there a better approach to this? Would it help if I used SSL?
I don't want to complicate matters by using oauth.
Thanks!
Upvotes: 0
Views: 104
Answers (1)
Reputation: 1039438
Use SSL. In order to obtain the session token the client should authenticate himself with a username and password transmitted over SSL. Once authenticated the token should be transmitted to the server over SSL to prevent from man-in-the-middle attacks.
So here's the flow:
- The client sends his credentials (username and password) over SSL to a web method
- The web method verifies the credentials and generates a session token and returns this session token to the client.
- The client sends the session token on subsequent requests to protected resources.
- The server verifies the token and if valid grants access to the protected resource.
You use simple Forms Authentication to generate the session tokens. The FormsAuthentication.Encrypt and FormsAuthentication.Decrypt methods could be a good start for you. The forms authentication token contains an encrypted value of the currently authenticated user. If you are running in a web-farm make sure that you have static machine keys on all nodes of your web farm, otherwise a session token encrypted on one node might not be decrypted on another node.
As an alternative to session tokens you could use basic authentication over SSL. The drawback is that credentials are sent over the wire on each request. Even if you are using SSL, the password is still transmitted over the wire, so this method is less secure than session tokens but easier to setup.
Upvotes: 1
Related Questions
- Encrypted JSON Strings Over SSL for Webservice Security
- Web-api security: SSL?
- how to secure a Web Api
- Best way of securing API calls with no SSL?
- Secure JavaScript requests to a Web Service
- calling my web api from jquery securely
- How to call the JSON service in Secure Manner in ASP.NET
- Secure JSON request from .Net to Javascript
- How best to secure Json requests in Mvc app?
- JSON security and encryption