2

We've built a WCF Rest service with various functions allowing us to access data from our database but we'd like to restrict access to these functions for obvious security reason but it doesn't have to be too complicated.

In short, this is what I had in mind:

  1. The first steps to access our service is to call a logon function of some sort where a username and password are passed.

  2. When authenticated against our database (or other), it would generate a token of some sort i.e. GUID will do and store this in a session or a cookie on the server.

  3. Whenever another function is called, it would require to pass this token which would then be validated against the tokens held in sessions or cookie on the server rather than having to validate it again our database.

If it passes, the rest of the function would execute otherwise, it would throw back an error and the logon function would require to be called again.

  1. The session or cookie would expires every x minutes.

Questions:

  1. Now is the above too simple?

  2. Can you use session with wcf rest services as we may not an asp.net website or other? This would just run in IIS under http or https.

  3. Am I better off using cookies of some sort on the server instead of session, but can these expire?

  4. When passing the token, can I just pass it as part of my json object or should I pass this as a custom header of some sort?

Sorry if my suggestions or questions sound ridiculous or rather simplistic, but I know absolutely nothing about web authentication but everything I'm reading seems complicated for what I want to achieve. As I said, it doesn't have to be over complicated. I just want to restrict users from using this web service if they are not authorized or granted permission.

Can you redirect me to a sample? Any help or suggestion would be greatly appreciated.

I'd like to implement this before releasing to our clients.

Thanks.

Thierry

Update:

This post actual has a good visual representation of what I'm trying to achieve:

WCF REST based services authentication schemes

Community
  • 1
  • 1
Thierry
  • 6,142
  • 13
  • 66
  • 117
  • What do you mean by cookies on the server? – EkoostikMartin May 09 '14 at 18:03
  • Have you seen http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service ? – flup May 09 '14 at 18:06
  • By Cookie on the server, I mean that instead of creating a cookie on the client side, it would store the cookie on your server when a logon request is made. Can you not create an actual cookie on the server side, where the token would be stored and put some sort of expiration time on the cookie? I thought I read this somewhere as being one way to do it. Just can't remember where I read this, but the idea stuck and I thought at the time, it seemed like a good way to do it, assuming it can be done. – Thierry May 11 '14 at 21:15
  • @flup I've just read the link. Thanks for that. Interesting but it's not actually telling me how best to implement a simple token base validation unless I'm to rely on existing standard. I have no problem with that except for time pressure right now. I'll look into it and I'll go buy that book on REST services from O'Reilly. Hopefully there will be something handy in there. Thanks. – Thierry May 11 '14 at 21:30
  • @Thierry The idea of HTTP Basic authentication is that you add an Authentication header to the request that contains username and password, Base64 encoded. Obviously, you should only use this across HTTPS, cause you want to send the password encrypted. You can do this for each request or use it to obtain a token from some kind of token service and then use the token to send with each request. – flup May 12 '14 at 12:52
  • @flup, thanks for the feedback. Do you have any recommendation on how to implement a simple token service? – Thierry May 13 '14 at 01:47

0 Answers0