Reputation: 1478
Storing a username & password for a REST API in a web app session
We have built a REST API. The API is built, and working, and uses basic authentication for every request.
We now wish to build other web applications that use the REST API. We're having issues working out how to do authentication in the web app, however.
Ideally, we want the web application to display a login page, and the user will enter in their credentials for the REST API. The problem is that once the user is "logged in" to the web application, how and where does the web application store the entered credentials, bearing in mind that it will need to store them in order to submit the credentials to the REST API when it needs to make any further request.
Modern web browsers must do something similar, no? When we access the REST API in the browser, it asks us for the username and password once, but subsequent requests resubmit the credentials we entered earlier. How can we replicate this in a web app? I'm assuming that storing them in the session is a bad idea...?
-- Edit
It's probably worth pointing out that the requests to the REST API will be made from the server, so not looking to store them on client-side.
Upvotes: 2
Views: 4661
Answers (1)
Reputation: 5537
I think that you're probably going about this wrong. If you have some business requirement to submit a username and password with every request, you should probably find the person who made the requirement and try very hard to talk some sense into them. There is simply no reason for it. That is what sessions are for.
You authenticate a user exactly once. Upon authentication, you give that user a session. You no longer need to authenticate because the session tells you who the user is.
Getting a user to enter their credentials with every request will annoy the living daylights out of them. Storing it client side (in cookies or local storage) is problematic and has serious security implications. In all cases, sending a username/password pair across the wire with every request (while theoretically secure over https) is just a bad idea. This is pretty much the iconic use case for sessions, use them.
Upvotes: 1
Related Questions
- ASP.NET MVC API - Authentication with username, password and one other field
- MVC user Authentication using Web API
- web api authentication in MVC application?
- How to persist and authenticate users from an MVC application to a Web API
- Securing user/password for REST API
- Storing user data after authentication with MVC4
- REST service authentication : where to store user credentials?
- How to use authentication with MVC Web API?
- asp.net MVC/WEB API - How to store authorization token
- Authentication with a REST API