Authenticating/Authorising AJAX requests from client browser

Question

We have a web service which is available to clients who register with us. We get the username, password and the IP/domain of the client during registration. This webservice can be used by the registered clients in their applications. How do we authenticate the client if the webservice call is made through a browser using AJAX request. We are currently authenticating by using getReferrer (which gives us the client domain). Would like to know if there is a better way to handle this authentication.

Appreciate your help in this regard.

Thanks Anil K

Answer 1

One way to secure the web service will require the following steps:

• Add functionality on your website from where registered clients can request for an "API Key". This "key" will be a unique random string (preferably a fixed length string).
• The first web service call made by the client should be an authenticate call. In this call the client must pass the "API key" as HTTP header value. On the server end, you should validate if the incoming IP/domain and "API key" are from a registered client or not. This way the client will not have to send "username/password" for authentication.
• If the key and IP/domain matches then you can assume that this web service call is from a valid client. Now on the server-end, generate a "token" (a unique random string) and send that "token" to the client as a "response" to the authenticate web service call.
• This "token" must be sent by the client in each subsequent web service call. You must check if this is a valid "token". "token" should be expired after a specific time duration. For example, if the "token" was not used during the last 15 minutes then it should be expired and the web service client will have to call the authenticate API again.

Hope this helps,