1

I want to create a responsive website that will work in all devices. Front end is HTML/CSS/JS and I am going to create bunch of APIs which will interact with database and do all the business logic and data fetch required.

I want to implement oAuth. oAuth for the front end's communication with my REST APIs. Why? I potentially see a need for more external parties to access my REST APIs in future.

How can I do this without MVC or seesion. Without MVC I suppose I might end up storing the site key, secret and auth id in cookie. How dangerous is it? Please let me know.

Thanks in advance.

tereško
  • 58,060
  • 25
  • 98
  • 150
Ravi
  • 578
  • 1
  • 5
  • 15
  • Am just thinking loud. I do not want to choose MVC/HTTPSession path without thinking. Can I store key, secret etc in browser memory or something in a secure way? – Ravi Aug 21 '13 at 19:47

1 Answers1

1

How can I do this without MVC or seesion

since you don't want to use a server side MVC as a middle layer between your client side and your API endpoints, you're going to be building your application in javascript. in that case do use an MV* framework to structure your data / events relationships to the API and page.

In terms of using oAuth, what you're going to need to do is use or write a javascript library for oAuth, and there are plenty of discussions about that, here's one: application that uses OAuth and javascript.

Because you wont be using a middle layer, you won't be touching session either, and typically that means you're going to make some special key and hash it and store it as a cookie, thus giving every client a stateless connection to the API.

How dangerous is it?

it is common practice, but you must salt and hash that key, otherwise the key will be not secure enough.

Community
  • 1
  • 1
Kristian
  • 21,204
  • 19
  • 101
  • 176
  • Thanks Kristian. _"it is common practice, but you must salt and hash that key, otherwise the key will be not secure enough."_ **Can you give me some reference?** – Ravi Aug 21 '13 at 18:32