Web API authentication

Question

I have been trying to wrap my brain around authentication on an API I am to develop.

I've tried to think of a way to successfully authenticate users, keeping in mind that users can access all data on the client, and I've come up with this idea.

Client sends username and password to the server
Server checks if they match a user.
    If it does, we create a hashed string with user_id+e-mail+currentTime+salt
    and stores this in a database-table with an expiration date.
Server returns hashed string to client

Client sends random request to server including key
Server checks if key is correct and if it's expired

Is this a secure way to do it, or do you see any security flaws?

What prevents someone from hijacking the key and making requests on the user's behalf? — Jason McCreary, Nov 10 '13 at 17:27
I suppose this would only be possible if someone were on the same network and sniffed it, and in this case would be good till the key expires. Do you have an idea on how to make it safer? — Pixark, Nov 10 '13 at 17:31
possible duplicate of [Creating an API for mobile applications - Authentication and Authorization](http://stackoverflow.com/questions/3963877/creating-an-api-for-mobile-applications-authentication-and-authorization) — Lawrence Cherone, Nov 10 '13 at 17:33
If you are not confident in your implementation please don't re-invent the wheel. Look into oauth. — PeeHaa, Nov 10 '13 at 17:36
Also look at this question - http://stackoverflow.com/questions/19616173/registering-and-authenticating-new-app-user-over-api/19616813 — Rotem Hermon, Nov 11 '13 at 07:01

Hunter Mitchell · Answer 1 · 2013-11-10T17:47:49.630

First, Do i see security flaws? Yes and No. If you are not using a secure connection, sending a users password and username through the net would not be a good idea. Especially if you have not Hashed the User's password in sha512 or whatever you use.

I would hash the password on the client Side, then send it.

Take a look at Twitter's API for example. They use the Keys to authenticate your account as well.

Here is a useful article.

Web API authentication

1 Answers1