Authentication between iPhone and ASP.NET WS (XML/JSON)

Question

I'm pretty new at this so please bear with me:

I'm writing an iPhone app that needs to authenticate with a web service that is currently hosted under IIS.

The iPhone client will first call the web service 'authenticate' method that takes in a username and password and checks on the server-end probably against a DB or AD/LDAP. Once the credentials has been verified as valid, the server will then send a 'true' response.

My question is this:

-What is the proper way to go about storing the authentication info for the duration of the app lifecycle(meaning, how do I do it in such a way that I don't have to keep verifying the user's username/password at every subsequent WS call.

-Is there a way to persist the user's authenticated session like in a normal browser session(log in once, session is stored on a server and will persist until the user logs out)

-Suggestions on what is the standard practice regarding these kind of operations(how does the other iphone apps like facebook, twitter that require authentication do this?)

Again, I would really appreciate any input or suggestions from everyone. Thanks.

Answer 1

The proper way to do it is to use OAuth with a mobile app profile. This way you can solve:

• authenticate a user
• and an application
• eliminate man in the middle attacks
• eventually be able to open your service to other apps/developers